Personal Information Request (PIR) Manual

The Personal Information Request Manual is intended as a reference tool to help ATIP Professionals interpret and administer the provisions of the Privacy Act (the Act) and the Privacy Regulations (the Regulations) that relate to requests to access personal information, and to meet the corresponding requirements outlined in TBS privacy policy instruments relating to the Act and Regulations.

Chapters of the new Manual will be published as they are completed. ATIP coordinators may direct any questions or comments about the Manual to the Privacy and Responsible Data Division.

On this page

  • Foreword

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    The Personal Information Request Manual (the Manual) was created by the Treasury Board of Canada Secretariat’s (TBS’s) Privacy and Responsible Data Division. It replaces the (archived) sections of the Treasury Board Manual: Privacy and Data Protection Guidelines that related to access to personal information.

    This Manual is intended as a reference tool to help Access to Information (ATI) and Privacy professionals interpret and administer the provisions of the Privacy Act (the Act) and the Privacy Regulations (the Regulations) that relate to requests to access personal information, and to meet the corresponding requirements outlined in TBS privacy policy instruments relating to the Act and Regulations.

    The Act provides individuals with the right of access to their own personal information under the control of a government institution, and with a right to request correction of their personal information. [The Act also sets out the obligations of government institutions regarding the collection, use, disclosure, retention and disposal of personal information they hold. For further information on these obligations, please see the Privacy Practices Manual (TBD).]

    Chapters of the Manual will be published as they are completed. This Manual is evergreen and may be amended as the subjects it covers evolve. As such, we invite you to consult the Manual regularly. Although not intended to provide an exhaustive account of approaches and situations, it is our hope that it will prove to be a valuable reference tool for the administration of the Privacy Act.

    The Manual is only available electronically on the Treasury Board of Canada Secretariat’s website.

    If you have any questions about the Manual, contact your institution’s ATIP Coordinator. If an interpretation of the Manual is needed, the ATIP Coordinator may email TBS’s  Privacy and Responsible Data Division.

    The information in this Manual provides general guidance to government institutions concerning the administration of the Act as it relates to access to personal information. Consult with your institution’s legal services unit for any legal advice relating to the interpretation of the Act.

  • Chapter 1 – Introduction

    Date updated: 2024-12-09
    ATI Manual Cross-reference

    1.1 The Act

    The Privacy Act (the Act) came into force on July 1, 1983. The Act is legislation of general application, which means that it generally applies, unless another act clearly says otherwise. As recognized in Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, the Act is of a quasi-constitutional nature. Quasi-constitutional acts express fundamental values and generally override other inconsistent laws.

    Section 2 of the Act states that the law’s purpose is “to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.”

    The Act applies to personal information as defined in section 3 of the legislation. This Manual provides guidance on the elements of the Act that relate to an individual’s right to request access to, and subsequently to request the correction of, personal information about themselves.

    1.2 Government institutions subject to the Act

    All government institutions listed in the Schedule of the Privacy Act and all parent Crown corporations and wholly owned subsidiaries of such corporations, within the meaning of section 83 of the Financial Administration Act, are subject to the provisions of the Privacy Act. Those institutions are also subject to the Policy on Privacy Protection and related policy instruments.

    1.3 Policy Instruments

    Paragraph 71(1)(d) of the Act requires the President of the Treasury Board, as designated Minister, to have prepared directives and guidelines that concern the operation of the Act and its Regulations. Such directives and guidelines must be distributed to government institutions. Of note, subsection 71(2) of the Act requires that the Governor of the Bank of Canada fulfil this requirement for the Bank of Canada.

    TBS has released four policy instruments that contain mandatory requirements relating to the Act. These include one policy and three directives, namely, the Policy on Privacy Protection, the Directive on Privacy Practices, the Directive on Social Insurance Number and the Directive on Personal Information Requests and Correction of Personal Information. The policy instruments that contain requirements pertaining to requests for access to and correction of personal information are the following:

    Implementation Notices provide guidance on the interpretation and application of the Access to Information Act, the Privacy Act and their related policy instruments.

    1.4 Objectives and Structure

    The Manual contains guidelines to help government institutions administer the legislation and meet policy requirements when fulfilling personal information requests. It is a detailed guide that explains the requirements of the Act, the Regulations and related policy instruments. It also contains policy advice, practical interpretations, and best practices. Where appropriate, relevant case law is cited, and excerpts are sometimes reproduced.

    As stated in the foreword, the Manual is designed to be amended as the subjects that it covers evolve to keep it up to date.

    [Guidance regarding the Directive on Privacy Practices and the Directive on Social Insurance Number is found primarily in the Privacy Practices Manual (TBD).]

  • Chapter 2 - Roles and Responsibilities

    Date updated: 2024-12-09
    ATI Manual Cross-reference

    This chapter provides an overview of the roles and responsibilities of:

    • the designated ministers
    • the Treasury Board of Canada Secretariat (TBS) and the Department of Justice Canada
    • the Privy Council Office
    • the Access to Information and Privacy (ATIP) Coordinators
    • the Privacy Commissioner of Canada and the Office of the Privacy Commissioner of Canada (OPC)
    • the Federal Court, the Federal Court of Appeal and the Supreme Court of Canada
    • parliamentary committees

    This chapter also contains information for understanding the roles and responsibilities conferred by the Privacy Act (the Act) and policy instruments to heads of government institutions and their delegates, ATIP offices, employees, and other officials.

    2.1 Key players

    2.1.1 Designated Ministers

    Pursuant to the definition of “designated Minister” in section 3 of the Act, the Governor in Council has made regulations under the Act, Designating the Minister of Justice and the President of the Treasury Board as Ministers for Purposes of Certain Sections of the Act. Each designated minister is responsible for recommending amendments to their respective sections of the Act and the Privacy Regulations (the Regulations).

    The responsibilities of the designated ministers conferred by the Act are summarized below.

    Roles and responsibilities

    The Minister of Justice acts as the designated minister for the following:

    • designating the head of a government institution by order in council (paragraph (b) of the definition of “head” in section 3)
    • extending the right of access by order in council (subsection 12(3))
    • proposing regulations, in accordance with subsection 77(1), to the Governor in Council related to:
    • specifying government institutions or parts of government institutions for the purpose of paragraph (e) of the definition “personal information” in section 3 (paragraph (a))
    • specifying investigative bodies for the purposes of paragraph 8(2)(e) and sections 22 and 23 (paragraph (d))
    • specifying persons or bodies for the purpose of paragraph 8(2)(h)(paragraph (g))
    • specifying classes of investigations for the purpose of paragraph 22(3)(c) (paragraph (l))
    • adding, replacing or deleting government organizations from the Schedule of the Act (subsection 77(2))

    The President of the Treasury Board acts as the designated minister for all other purposes of the Act. Specifically, with respect to access to personal information:

    • as set out in subsection 71(1):
    • prescribing forms that may be required for the operation of the Act and the Regulations
    • ensuring that directives and guidelines are prepared and distributed concerning the operation of the Act
    • prescribing the form and content of reports to Parliament
    • providing services regarding the administration of the Act to government and the public (section 71.1)
    • proposing regulations, in accordance with subsection 77(1), to the Governor in Council related to:
    • retention period for requests received under paragraph 8(2)(e) and records of information disclosed pursuant to the requests (paragraph (b))
    • procedures to be followed in making and responding to requests for access to personal information (paragraph (h))
    • procedures to be followed for the correction of personal information (paragraph (i))
    • fees to be paid for being given access to personal information (paragraph (j)) (note: fees are not presently collected)
    • procedures to be followed by the Privacy Commissioner in examining or obtaining copies of records that have been exempt under paragraph 19(1)(a) or (b) or section 21 (paragraph (k))
    • the class of individuals who may act on behalf of others (paragraph (m))
    • disclosure of information regarding the physical or mental health of individuals to duly qualified medical practitioners or psychologists (paragraph (n))
    • disclosure of information to individuals regarding their physical or mental health (paragraph (o))

    To enhance the effective application of the Act and the regulations by government institutions and to facilitate statutory and regulatory compliance, the President of the Treasury Board issued the Policy on Privacy Protection (the Policy) pursuant to paragraph 71(1)(d) of the Act.

    The sole exception to paragraph 71(1)(d) relates to the Bank of Canada. As per subsection 71(2), the Governor of the Bank of Canada is responsible for the preparation and distribution of the directives and guidelines concerning the Act and its regulations in relation to the Bank of Canada.

    2.1.2 The Treasury Board of Canada Secretariat (TBS)

    TBS issues direction and guidance to government institutions with respect to the administration of the Act and interpretation of the policy instruments. The Privacy and Responsible Data Division of TBS assists the President of the Treasury Board in carrying out their duties outlined below by developing policy instruments, guidance and tools, offering training, and providing advice and leadership to the ATI and Privacy communities.

    Section 5.2 of the Policy states that TBS is responsible for supporting the President of the Treasury Board with regard to handling personal information requests in the following ways:

    • issuing direction and guidance to government institutions with respect to the administration of the Act and interpretation of the policy and its supporting instruments
    • approving exceptions to any requirement contained in the policy or its supporting instruments; TBS must advise the OPC of any exceptions that are granted that could relate to the Act or to any of its provisions, or that may have an impact on the privacy of Canadians
    • prescribing forms and platforms to be used in the administration of the Act, as well as the form and content of the annual report to Parliament
    • publishing annually an index of personal information under the control of government institutions that is confirmed to be up to date; this practice has been decentralized and now falls to each institution to publish on their respective public websites
    • working with the Canada School of Public Service to integrate knowledge elements related to the Act and associated policy instruments into required training courses, programs and knowledge assessment instruments

    The monitoring and reporting responsibilities of TBS to support the administration of the Act are found in sections 5.2.4 and 5.2.5 of the Policy. They are:

    • regularly reviewing the policy, its related directives, mandatory procedures, standards, guidelines, forms and prescribed platforms to assess their continued effectiveness and accuracy; when substantiated by risk-analysis, TBS will also ensure that an evaluation is conducted
    • overseeing compliance with this policy and its supporting instruments across government institutions, leveraging existing reporting mechanisms as appropriate

    The consequences for non-compliance with the policy and its related instruments are found in section 7 of the Policy. They are:

    • for those government institutions that do not comply with the policy and its related instruments, there may be a requirement to provide additional information relating to the development and implementation of compliance strategies in their annual report to Parliament, or to TBS directly; this reporting may be in addition to other reporting requirements
    • TBS will work collaboratively with heads of institutions or their delegates to restore compliance
    • on the basis of analysis of monitoring and information received, the President of the Treasury Board may make recommendations to the head of the government institution; these recommendations could include prescribing any additional reporting requirements, as outlined above.

    2.1.3 The Department of Justice Canada

    The Department of Justice Canada supports the Minister of Justice in carrying out their duties under the Act. As part of its mandate under the Department of Justice Act, the Department of Justice Canada provides legal advice and services to the government and client departments and agencies, and represents the Crown in judicial reviews before the Federal Court, the Federal Court of Appeal and the Supreme Court of Canada. The Department of Justice Canada also provides legal advice on the application of section 70 of the Act, as explained in Chapter 11 of this manual. For their role with respect to the application of section 27 of the Act, see section 10.14 of this manual.

    2.1.4 The Privy Council Office

    The Clerk of the Privy Council and Secretary to the Cabinet is responsible for ensuring the integrity of the Cabinet process and the stewardship of the documents that support this process. As custodian of confidences of the King’s Privy Council for Canada of the current and previous ministries, they are responsible for policies on the administration of these confidences and for the ultimate determination of what constitutes such confidences and must be consulted in a manner consistent with the guidance set out in Chapter 11 of this manual.

    2.1.5 Access to Information and Privacy (ATIP) coordinator

    Each institution designates an official to serve as ATIP coordinator. This individual is responsible, on behalf of the head and deputy head of the institution, for ensuring compliance with the Act, Regulations and policy instruments. In many institutions, the head of an institution delegates some or all of their powers, duties and functions under the Act to the ATIP coordinator. As per 4.2.36 of the Policy, the head or their delegate must provide the contact information of the appropriate officer to receive personal information or correction requests, which will be then published on the prescribed contact list. In most cases this person is the ATIP coordinator.

    2.1.6 The Privacy Commissioner of Canada

    The Privacy Commissioner (the Commissioner) is an Agent of Parliament who receives and independently investigates complaints from individuals regarding the handling of their personal information by federal government institutions and from requesters who believe that government institutions have not respected their rights of access under the Act. In addition, the Commissioner has the authority to conduct compliance reviews of the privacy practices of government institutions as the practices relate to the collection, creation, retention, accuracy, use, disclosure and disposal of personal information by government institutions subject to the Act.

    The Commissioner may self-initiate complaints when they are satisfied there are reasonable grounds to investigate a matter under the Act. The Commissioner reports findings and may make recommendations with respect to any matter that has been investigated or reviewed. The Commissioner can also initiate or intervene in court proceedings.

    The Commissioner reports to Parliament on the activities of the OPC after each financial year. They may also make special reports to Parliament referring to and commenting on any matter within the scope of the powers, duties and functions of the Commissioner. The Commissioner is subject to strict confidentiality obligations. As such, they may only speak publicly about a complaint and the findings from an investigation following the tabling of the related report in Parliament.

    Chapter 12 of this manual provides additional information on the Commissioner’s role and the complaint process with respect to personal information requests.

    More information regarding the OPC can be found on its website, including its role with respect to both the Privacy Act and Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, and the work conducted by its Policy and Promotion Sector.

    2.1.7 Review by the Canadian judicial system

    The Federal Court examines applications for court reviews submitted by requesters or the Privacy Commissioner regarding the non-disclosure of personal information in response to requests submitted pursuant to section 12 of the Act. Any party to a review may appeal to the Federal Court of Appeal and, ultimately, seek permission to appeal to the Supreme Court of Canada.

    Chapter 12 of this manual provides additional information on reviews by the Federal Court.

    2.1.8 Parliamentary committees

    The House of Commons’ Standing Committee on Access to Information, Privacy and Ethics (the ETHI Committee) studies and reports on matters referred to it by the House of Commons or on topics the Committee itself chooses to examine.

    The ETHI Committee’s mandate is defined in paragraph 108(3)(h) of the Standing Orders of the House of Commons. Its responsibilities in relation to the Act include the following:

    • reviewing and reporting on the effectiveness, management and operations of the OPC and its operational and expenditure plans
    • reviewing and reporting on any federal legislation, regulation or standing order that impacts on privacy
    • proposing, promoting, monitoring and assessing initiatives that relate to privacy

    2.2 Responsibilities of government institutions

    2.2.1 Heads of government institutions

    The head of every institution is responsible for carrying out their responsibilities set out in the Act, the regulations, the policy, and the related directives and standards within the institution, and holds responsibility for decisions made in this regard.

    For the purposes of the Act, the head of a government institution is the minister in the case of departments and ministries of state. For other government institutions subject to the Act, the head is the person designated by order in council. If no such person is designated, it is the chief executive officer of the institution, whatever their title. Examples include the President of the Treasury Board for TBS, the Minister of Health for Health Canada, the Master of the Royal Canadian Mint (President) and the President and Chief Executive Officer for certain Crown corporations such as the Canadian Broadcasting Corporation and Via Rail Canada Inc.

    The responsibilities of heads under the Act with regard to the handling of personal information requests are:

    The responsibilities of heads under the Regulations are as follows:

    • retain for a period of at least two years a copy of every request for access to personal information received and a record of any information disclosed pursuant to such a request (section 7)
    • when access to personal information is given by means of an opportunity to examine the information, provide reasonable facilities and set a convenient time for the examination (section 9)
    • respond to requests for correction of personal information (subsections 11(2) and 11(4))
    • authorize the disclosure of information relating to the physical or mental health of an individual (sections 13 and 14)

    Sections 4.1 and 4.2 of the Policy and section 4.1 of the Directive on Personal Information Requests and the Correction of Personal Information (the Directive) set out additional responsibilities of heads or their delegates with regard to the handling of personal information requests.

    Upon being named head of the institution, the head decides whether to delegate their powers, duties and functions under the Act pursuant to section 73. The head or the delegate makes final decisions. As mentioned in section 2.1.5 of this chapter, many heads of institutions delegate all their powers, duties and functions under the Act to the ATIP coordinator. 

    Section 2.3 of this chapter provides additional explanations on delegation.

    2.2.2 The Access to Information and Privacy Office

    The main responsibilities of the ATIP Office for the handling of personal information requests are as follows:

    1. Processing personal information and correction requests: The ATIP Office responds to all requests received under the Act in accordance with the provisions of the Act and the Regulations, jurisprudence, and the policies and directives issued by the President of the Treasury Board. This processing requires the following:
      • exercising discretion in a fair, reasonable and impartial manner with respect to decisions made in the processing of requests and resolution of complaints
      • assisting requesters, including protecting their identity and only disclosing the name of the requester to those who have a need to know, clarifying requests as needed, and providing access in the format and language requested when it enables the requesters to exercise their right of access
      • establishing a procedure to confirm the identity of the requester, the authority of an individual to make a request on behalf of another, and the right of access under the Act (see the Privacy Implementation Notice 2022-02: Identity Verification for Personal Information Requests for more guidance)
      • establishing a procedure for providing complete, accurate and timely responses to personal information and correction requests
      • communicating with requesters to acknowledge receipt of requests, to advise them of their right to complain to the Commissioner and to clarify requests, as needed
      • developing and implementing institutional procedures and practices for the application of the Act
      • determining whether personal information is under the control of the government institution and therefore subject to a request for access
      • consulting program managers, senior management, legal advisors, TBS, the Department of Justice Canada (as applicable), the Privy Council Office, third parties and other government institutions as needed
      • making decisions regarding requests when this authority has been delegated to the ATIP coordinator or other employees of the ATIP Office
    2. Performing related duties: The ATIP Office performs other duties related to personal information and correction requests, including the following:
      • determining whether to treat a request informally and seeking the consent of the requester to treat it accordingly
      • responding to consultations from other government institutions
      • ensuring compliance with the requirements of the Act, the regulations and any other ATIP policy instrument issued by TBS
      • drafting reports and other documents required by central agencies
      • ensuring the training and development of ATIP personnel; the ATIP office must document the completed training of employees who have a functional or delegated responsibility for the administration of the Act or regulations
      • ensuring and documenting the training of all the institution’s employees on their obligations under the Act and policy suite
      • proactively taking steps to resolve complaints and privacy concerns of Canadians prior to engagement with the formal complaint process, and taking responsibility and steps for corrective action
      • participating in the resolution of complaints filed with the OPC and court reviews, which requires explaining the institution’s decisions concerning the application of the Act
      • contributing, with TBS, to the review of policy instruments related to the Act
    3. Providing facilities for the examination of information, in accordance with paragraph 9(a) of the Regulations.
    4. Providing advice and expertise to employees of the institution, including training and awareness sessions on the Act and employees’ responsibilities as per Appendix B of the Directive.
    5. Ensuring that contracts and agreements with private and public sector entities include measures to ensure the institution meets the requirements of the Act, the Policy on Privacy Protection and the Directive on Privacy Practices. Section 4.2.34.7 of the Directive on Privacy Practices requires contracts and agreements to include provisions that address the obligation to coordinate when there is a personal information request, while section 4.2.34.6 highlights the institution’s continued control of any personal information disclosed.
    6. Considering other means of making government information available by reviewing the nature of requests received and assessing the feasibility of making frequently requested types of information available by other means.
    7. Contributing to Info Source: The ATIP Office must prepare, publish or review as required at least once a year the institution’s chapter in Info Source, in accordance with the guidance document Info Source Online Publishing Requirements .
    8. Preparing the annual report to Parliament on the administration of this Act within the government institution, in accordance with paragraph 71(1)(e) and section 72 of the Act and providing a copy in each official language to TBS and the Privacy Commissioner once it has been tabled.
    9. Collecting statistics on institutional activities related to the administration of the Act and submitting annually a statistical report to TBS, in accordance with established requirements distributed by TBS.

    2.2.3 Employees of the government institution

    The employees of government institutions play a key role in processing requests for personal information or corrections, providing relevant records, and making recommendations on their disclosure. To accomplish this, it is important that all employees manage their records effectively and meet the timelines established by the ATIP Office.

    Section 4.2 of the Directive on Personal Information Requests and Correction of Personal Information states that the following are responsibilities of employees of government institutions:

    • 4.2.1 Recommending to the head or the delegate, when appropriate, that information requested be disclosed informally
    • 4.2.2 Making every reasonable effort to search, locate and retrieve the requested personal information under the control of the government institution
    • 4.2.3 Ensuring searches for records are comprehensive and consider both the letter and the spirit of the request
    • 4.2.4 Referring questions about whether the personal information is under the control of the government institution to ATIP officials with delegated authority for their determination
    • 4.2.5 Advising ATIP officials at an early stage if a request cannot be responded to within the legislated 30-day timeframe
    • 4.2.6 Making every reasonable effort to respond to requests within the timelines prescribed in the Act, including extensions taken in accordance with the Act
    • 4.2.7 Providing recommendations and contextual information to inform the head of the government institutions, or their delegate, about possible exemptions or exclusions applicable to the personal information, taking into account the purpose of the Act
    • 4.2.8 Establish measures to support an individual’s right of access to their personal information when entering into contracts, arrangements and agreements

    The definitions of the terms “comprehensive search,” “control of records,” and “reasonable effort” are found in Chapter 3 [pending]. Guidance on how to meet these requirements are found in Chapters 5, 6, 9 and 10.

    2.3 Delegation

    The following discussion of delegation is intended to be general in nature and does not cover all eventualities.

    2.3.1 Definitions

    Delegate

    The term “delegate” is defined in Appendix A of the Policy as “an officer or employee of a government institution or of another government institution within the same ministerial portfolio when there is a service-sharing agreement between the two government institutions, who has been delegated to exercise or perform the powers, duties and functions of the head of the institution under the Act.”

    2.3.2 Relevant legislative provisions

    Section 73 of the Privacy Act

    Section 73 of the Act provides that the head of a government institution may, by order, delegate any of their powers, duties or functions under the Act to one or more officers or employees of that institution. More information on delegation orders can be found in section 2.3.12 of this chapter.

    Section 73.1 of the Privacy Act

    Section 73.1 provides for service sharing between institutions within the same ministerial portfolio, pursuant to a written agreement between the institutions regarding those services. The head of the institution receiving the services must provide a copy of the written agreement to the OPC and TBS as soon as possible after entering into the agreement. They must also be notified if there are any material changes to that agreement. As appropriate, the service providing institution may charge fees for the services, but these must not exceed the cost of providing the service. They would then have the spending authority for these funds received during the fiscal year they are received, unless an appropriation Act provides otherwise.

    If a written service-sharing agreement is established, the head of a government institution may delegate any of their powers, duties or functions under this Act to one or more officers or employees of another government institution.

    Subsection 24(2) of the Interpretation Act

    The courts have acknowledged that a minister is not expected to personally exercise all authorities conferred on that minister and that, in certain circumstances, departmental officials may act for their minister in exercising their statutory powers. This authority to act for a minister of the Crown has been formally codified and is reflected in subsection 24(2) of the Interpretation Act.

    Paragraph 24(2)(c) of the Interpretation Act states that a deputy minister can exercise the powers of the minister. Therefore, when no other officer or employee of the institution has been designated to act on behalf of the minister, it is not necessary for a minister to delegate to their deputy minister.

    If the minister does not sign a delegation order, paragraph 24(2)(d) of the Interpretation Act authorizes public service employees working within the institution to perform the duties outlined in the Privacy Act. In order to act for a minister, a person must:

    • be a public servant employed in the department or organization for which the minister is responsible
    • serve in a capacity within the department such that the person can reasonably be expected to exercise the power of the minister

    Note that exempt staff in a minister’s office, more commonly known as political staff, are not authorized to exercise the powers, duties and functions of the head of the institution.

    Where the head of the institution is a minister of the Crown who does not preside over the institution but is responsible for it, and in the absence of a delegation order, the minister must exercise personally the powers, duties and functions of the head of the institution.

    Subsection 24(4) of the Interpretation Act applies when the head of the institution is a public officer other than a minister of the Crown. Pursuant to that provision, the powers of the public officer may be exercised by their successors in the office or by a deputy. A deputy is generally an officer who serves in a position immediately below the public officer in the hierarchy and whose function is chiefly to support the public officer and assist in the exercise of their functions. A public officer usually has one deputy but, in some institutions, there may be more than one deputy.

    If there is a delegation order, subsections 24(2) and 24(4) of the Interpretation Act do not apply and officials cannot implicitly assume a right to act in the head’s name (see the decision Leahy v. Canada (Citizenship and Immigration) 2012 FCA 227, paragraph 84). Only the head or the delegate(s), acting within the scope of the delegation, may exercise the powers of the head of the institution.

    2.3.3 Policy requirements

    The Policy on Privacy Protection requires the head of an institution to consider whether delegation is appropriate. The Policy specifies that, in cases where the head decides to delegate, a delegation order must be signed, and delegated officers or employees must be at an appropriate level to be able to fulfill the duty.

    In addition, section 4.1.2 of the Policy sets out the considerations that the head of an institution must respect when delegating. These considerations are as follows:

    • powers, duties and functions are:
      • delegated only to officers and employees of their government institution, or of another government institution within the same ministerial portfolio when there is a service-sharing agreement between the two government institutions
      • not delegated to consultants, members of a minister’s exempt staff, employees of other government institutions with which there is no service-sharing agreement, or to individuals from the private sector
      • delegated to positions identified by title, not to individuals identified by name
    • delegates understand that they are accountable for any decisions they make, but ultimate responsibility remains with the head of the government institution
    • delegates are at the appropriate level to be able to fulfill the duties of their delegated authorities and are well informed of their responsibilities
    • delegates cannot further delegate powers, duties and functions that have been delegated to them, although employees and consultants may perform tasks in support of delegates’ responsibilities
    • delegation orders are reviewed when the circumstances surrounding the delegations have changed; a delegation order remains in force until it is replaced

    2.3.4 What can be delegated?

    Any of the powers, duties and functions assigned to the head of the institution under the Act may be delegated. The relevant provisions of the Act describing the powers, duties or functions that may be delegated are listed in Appendix B of the Policy.

    The responsibilities of the head of a federal institution include responding to requests made under the Act. Although not specifically mentioned in the Act, this necessarily implies that such requests be processed. Consulting other institutions and responding to consultations received from other federal institutions are essential parts of processing requests received under the Act. Therefore, when the head delegates the duty to respond to requests received under the Act, such delegation includes the duty to process the requests, to consult as required, and to respond to consultations received from other institutions.

    2.3.5 Who can delegate?

    Only the head of a government institution, as defined in section 3 of the Act, is authorized to issue the delegation. For departments or ministries of state, the head is the minister. For other institutions, it is the person who has been designated to be the head of the institution by the Governor in Council or, if no such person is designated, the chief executive officer of the institution, whatever their title.

    In general, the head of an institution cannot delegate the power to delegate. However, where the head is a minister, the power may be exercised by their “deputy” pursuant to paragraph 24(2)(c) of the Interpretation Act.

    2.3.6 Who can receive the delegation?

    The head of the institution can delegate to officers and employees of their institution under subsection 73(1). This means that consultants, ministerial staff or employees outside the institution cannot be designated in the delegation order. Under subsection 73(2) of the Act, the head of an institution can, by order, delegate to employees of another institution if the other institution is presided over by the same minister or falls under the responsibility of the same minister. A written agreement between both institutions is required prior to providing services to another institution.

    The Policy requires that the officers or employees be at the appropriate level, that is, that they be appointed to serve in a capacity appropriate to fulfilling the duty. Factors such as position and job description, hierarchical relationships and geographical location should be considered when assessing whether the person could reasonably be expected to exercise the powers within the institution.

    2.3.7 Can powers, duties and functions that have been delegated be further delegated?

    As noted in subsection 4.1.2.4 of the Policy, powers, duties and functions that have been delegated cannot be further delegated. Tasks may nevertheless be performed by employees, officials or consultants in support of the powers, duties and functions that are the responsibilities of the delegates.

    2.3.8 Who can exercise the powers, duties and functions?

    If there is no delegation order

    Subsection 24(2) of the Interpretation Act clarifies the power to act for ministers of the Crown. Its wording is as follows:

    “24(2) Words directing or empowering a minister of the Crown to do an act or thing, regardless of whether the act or thing is administrative, legislative or judicial, or otherwise applying to that minister as the holder of the office, include

    • “a. a minister acting for that minister or, if the office is vacant, a minister designated to act in the office by or under the authority of an order in council;
    • “b. the successors of that minister in the office;
    • “c. his or their deputy; and
    • “d. notwithstanding paragraph (c), a person appointed to serve, in the department or ministry of state over which the minister presides, in a capacity appropriate to the doing of the act or thing, or to the words so applying.”

    Where the head of the institution is a minister of the Crown presiding over a department or a ministry of state, in the absence of a delegation order a minister acting, a minister’s successor(s), the deputy minister, and officers or employees of the department are authorized, pursuant to paragraphs 24(2)(a) through (d) of the Interpretation Act, to make any decision delegated by statute to the minister, for and in the name of the minister.

    Where the head of the institution is a minister of the Crown who does not preside over the institution but is responsible for it and in the absence of a delegation order, the minister must exercise personally the powers, duties and functions of the head of the institution. For example, the Minister of Public Safety and Emergency Preparedness is the head of the Canada Border Services Agency but does not preside over the Agency.

    Where the head of the institution is a public officer other than a minister of the Crown and in the absence of a delegation order, the deputy is authorized to exercise the powers of the head pursuant to subsection 24(4) of the Interpretation Act.

    If there is a delegation order

    After an express delegation has been made, the specified powers may be exercised only by the head or by the delegate. When the delegate is absent or incapacitated and the delegation passes to another position, the person occupying that position may also make decisions. Similarly, a person occupying the position of the delegate on an interim basis may make decisions. No other officer or employee, from the deputy minister or deputy head to ATIP officials, has the legal authority to make decisions unless expressly stated in the delegation instrument.

    Even when a delegation has been issued, the head retains the power to make the decision and may do so as long as the delegate has not already communicated the decision to the requester. The head is not required to obtain input from the delegate before making a determination, although it is entirely appropriate to seek input from the delegate and other officials of the institution.

    Similarly, it is entirely appropriate for the authorized delegate to request input from other public service employees and consultants prior to making a decision. Consultation is not only legally permissible; it may also be administratively and practically necessary. The only limitation is that those consulted cannot be allowed to dictate the outcome of the exercise of statutory discretion, as that would amount to fettering of discretion. In the decision Do-Ky v. Canada (Minister of Foreign Affairs and International Trade) (T.D.) [1997] 2 F.C. 907, the Federal Court stated it is “not a fettering of discretion to seek advice from the government departments most knowledgeable and directly involved with the situation at hand. In fact, not to do so would be irresponsible. Provided that the individual who is responsible for exercising the discretion in fact turns [their] mind to the issues and weighs and considers all the facts, there is no fettering of discretion.”

    Processing the requests

    As mentioned above, the powers, duties and functions assigned to the head of the institution may be delegated only to officers and employees of the institution or if there is a service-sharing agreement in place, to employees of another government institution within the same ministerial portfolio. Tasks may nevertheless be performed by employees or officers in support of the powers, duties and functions that are the responsibilities of the delegates.

    Furthermore, nothing in the Act prevents a consultant or an employee from another institution from processing personal information requests if the following conditions are met:

    • contracts for consulting services contain confidentiality clauses to ensure that security obligations are met, as well as the requirements of the Act regarding the collection, use and disclosure of personal information
    • when employees from other institutions are mandated to process requests:
      • legislative or regulatory authority exists to allow one government institution to process personal information requests received by another institution
      • the disclosure of the personal information requests and related personal information complies with subsection 8(2) of the Act: such disclosure is a “consistent use”; if it is not already described in the relevant personal information bank, the institution is required to notify the Privacy Commissioner and amend the personal information bank as per subsection 9(4) of the Act

    2.3.9 Can the head overturn decisions of the delegate?

    The statutory power of a head that has been validly delegated to an official may be exercised either by the head of the institution or by the delegate. When a delegate is tasked with the review of documents and the preparation of the response letter and presents them to the head for their approval and signature, it is the head who is making the decision, not the delegate. When the delegate approves the decision regarding the disclosure of the documents and signs the response letter in their own name, it is the delegate who makes the decision.

    Until a decision regarding access to personal information has been communicated to the requester, it may be revisited by the head or the delegate during the internal processing phase. However, once a delegate makes a valid determination or decision in the proper exercise of the delegated power and has communicated the decision to the requester, the head cannot re-examine the matter or substitute their decision for that of the delegate, unless there is a complaint or a decision by the Federal Court.

    Given the purpose of the Act, when a complaint has been made to the OPC or a request for judicial review presented to the Federal Court, decisions to give or refuse access to personal information may be revisited by the head or the delegate at any point until the completion of the Privacy Commissioner’s investigation or until the Federal Court renders its decision. If, for example, a delegate initially refused to give access to personal information during the processing of a request, the head can subsequently decide to release the information during the investigation of a complaint. More on Investigations and Reviews is found in Chapter 12.

    2.3.10 Who has responsibility for decisions made under the Act?

    Once a delegation order is signed, delegates are accountable to the head of the institution for any decisions they make. Delegates exercise the powers in their own name because they are authorized to act. Ultimate responsibility, however, always rests with the head of the government institution.

    If there is no delegation order, accountability remains with the head of the institution. An officer or employee of the department who exercises powers under subsection 24(2) or subsection 24(4) of the Interpretation Act does so on behalf of the head.

    In both cases, public service employees should be clearly informed of their specific obligations with respect to the Privacy Act.

    2.3.11 Validity of decisions made without proper delegation

    If someone does not properly hold the authority to exercise the powers and purports to do so, the resulting decisions may be challenged through judicial review proceedings and set aside.

    Decisions and statutory functions that are administrative in nature or that require very little discretion (for example, providing access in a particular official language or in an alternative format) may be made by a competent person without concern about legal challenge. Where the decision requires the exercise of some discretion, such as applying a discretionary exemption or not, only the person who has the proper authority may make the decision. A court may declare the decision invalid if it is made by someone who does not have the proper authority.

    2.3.12 The delegation order

    After careful consideration, the head of the institution may decide to delegate any or all their powers, duties or functions under the Act to one or more officers or employees of the institution. In such cases, institutions are required by policy to have in place a current delegation order signed by the head of the institution that stipulates the responsibilities delegated to particular officials.

    Instructions issued pursuant to subsection 71(1) of the Act make it mandatory for institutions to include a copy of the signed delegation order in their annual report to Parliament. If there has been no delegation, a statement to that effect must be included in the annual report. If multiple delegation orders were in effect throughout the year, a copy of the order that was in effect on March 31 of the reporting year must be included.

    Signed delegation orders should be stored in a manner that allows them to be easily accessed and produced to confirm an officer’s authority to act under the Act.

    What the delegation order should contain

    When the head delegates responsibilities, they must specify in the delegation order what powers, duties and functions are delegated.

    The Policy requires the head to identify the delegates by position title, not by name, to allow greater flexibility. When delegation is to the position rather than a named individual, a new delegation is not required when a new appointee assumes the position or when someone is acting in the position. It is recommended that the delegation order also recognize another position to which delegation passes if the occupant of the original position is absent or incapacitated. For example, an order giving full delegation to the person holding the position of ATIP coordinator could stipulate that if they are absent or incapacitated for more than five working days, full delegation is given to the person holding the position of director general, assistant deputy minister or deputy minister.

    It is also recommended that delegated authority be given to more than one officer or employee who is responsible for resolving issues during the investigation of a complaint or a review by the Federal Court.

    The following questions should be considered when preparing a delegation order:

    • Has the correct person (that is, the head of the institution or, when the head is a minister, the deputy minister) delegated the power or duty in question?
    • Has the delegated authority been correctly and clearly described or identified in the delegation order?
    • Should full authority for the administration of the Act be delegated to the ATIP coordinator?
    • Should more than one person have delegation? Should deputy ministers and senior managers also be named in the delegation order?
    • Are functions delegated as far down within the ATIP Office as possible? For example, extensions and third-party notices can be delegated to ATIP officers as well as to the ATIP coordinator.
    • Does the delegation order give authority to more than one officer or employee to resolve issues with the Privacy Commissioner?
    • Do the delegates have sufficient knowledge of the Privacy Act and the Access to Information Act to properly exercise the delegated powers?

    The Privacy and Responsible Data Division’s website provides a fact sheet, Delegation Under the Access to Information Act and the Privacy Act, which contains examples of delegation orders.

    How long a delegation order remains in force

    A delegation order remains in force until such time as it is reviewed and revised by the head of the institution. If the delegation order specifies an individual, that individual’s departure or inability to act will render the order unusable unless another individual or position is also named. Therefore, to avoid this outcome, the Policy requires that the head identify the delegates by position or title and not by name.

    The delegation order remains in force even when a new head is appointed, be it during a writ period or following a federal election or by-election. The fact that a current head has not issued their own order is not critical because the appointment of a new head does not nullify the actions taken by their predecessor.

    When a delegation order should be reviewed

    While the delegation order remains in force upon the appointment of a new head, section 4.1.2.5 of the Policy requires that the delegation order be reviewed when circumstances surrounding the delegation have changed. It is recommended that the order be revised as soon as practicable to reflect the preferences of the new head.

    The requirement to review the delegation order may arise in other circumstances, such as changes in personnel, restructuring of the organization, transfers of programs or portions of programs, merging of institutions, and changes in the mandate of the institution. (Where institutions have been merged or where programs or portions of programs have been transferred, the authority for decisions under the Act rests with the new head.)

    If a new delegation order is required, it should be put in place as soon as possible in order to reduce any potential for disruption of the processing of requests.

    Summary
    If there is a delegation order If there is no delegation order

    The head can delegate to one or more officers and employees of their government institution or another government institution within the same ministerial portfolio when there is a service-sharing agreement between the two government institutions. Consultants, members of a minister’s exempt staff, or employees of other government institutions or from the private sector cannot be named in the delegation order.

    Not applicable

    Subsections 24(2) and 24(4) of the Interpretation Act do not apply.

    Subsection 24(2) of the Interpretation Act applies to departments and ministries of state. Subsection 24(4) of the Interpretation Act applies to other government institutions.

    Only the delegate(s) and the head may exercise the powers, duties and functions of the head.

    In the case of departments and ministries of state over which a minister of the Crown presides, the powers, duties and functions of the head may be performed by an officer or employee of the department or ministry of state, including the deputy minister, appointed to serve in a capacity appropriate to fulfilling the duty.

    In cases where the head of the institution is a minister of the Crown who does not preside over the institution, but is responsible for it, the minister must exercise personally the powers, duties and functions of the head of the institution.

    In the case of other government institutions, the deputy of the head may exercise the powers, duties and functions of the head.

    Exempt staff in a minister’s office are not authorized to exercise the powers, duties and functions of the head of the institution.

    Exempt staff in a minister’s office are not authorized to exercise the powers, duties and functions of the head of the institution.

    Tasks may be performed by employees, officers or consultants in support of the powers, duties and functions that are the responsibilities of the delegates and the head.

    Tasks may be performed by employees, officers or consultants in support of the powers, duties and functions that are the responsibilities of the head.

    Delegates exercise the powers in their own name.

    An officer or employee who exercises powers under subsection 24(2) or subsection 24(4) of the Interpretation Act does so on behalf of the head.

    Once a delegate makes a decision in the proper exercise of the delegated power and has communicated the decision to the requester, the head cannot reassess the decision of the delegate. The head can revisit the decision during the investigation of a complaint or a review by the Federal Court.

    Once an officer or an employee has communicated the decision to the requester, the head cannot reassess the decision of the officer or employee. The head can revisit the decision during the investigation of a complaint or a review by the Federal Court.

    Delegates are accountable to the head of the institution for any decisions they make. Ultimate responsibility, however, always rests with the head of the government institution.

    Accountability remains with the head of the institution.

    2.4 Service sharing

    In June 2019, the Privacy Act was amended by Bill C-58 to introduce the ability for institutions to share ATIP services between institutions within the same ministerial portfolio.

    Section 4.2.17 of the Policy requires that institutions ensure the requirements of section 73.1 of the Act are respected when entering into a service-sharing agreement.

    There are several key legal and policy considerations when establishing a service-sharing agreement between two institutions within the same ministerial portfolio:

    • Governance: ATIP offices often participate in departmental committees, and report to senior management and communications units. Consideration will need to be given to how governance will work when ATIP services are shared. Which committees will the ATIP office be accountable to? How will senior management and communications be engaged? How will competing priorities and approaches within institutions be resolved?
    • Human resources: Service sharing may assist institutions where one institution may have more resources dedicated to ATIP, including software or greater experience in processing requests.
    • Information technology: Distinct systems, or partitions within systems, may be necessary to ensure it is clear which institution has control of the records and information.
    • Financial: The Act allows for the institution providing the service to charge a fee that does not exceed the cost of the service. Allocation of funding and the tracking of costs per institution, including corporate costs such as human resources services, should be considered when establishing a service-sharing agreement.

    As per section 4.2.18 of the Policy, the head of the institution that receives the services must provide a copy of any new service-sharing agreement, and any material changes to an existing service-sharing agreement, to the President of the Treasury Board and to the Privacy Commissioner as soon as possible after entering into the agreement or after any material changes arise.

  • Chapter 4 – Info Source

    Date updated: 2024-12-09
    ATI Manual Cross-reference

    4.1 Sources of Federal Government Information Published by Institutions

    All government institutions subject to the Access to Information Act (ATIA) and the Privacy Act publish an inventory of their information holdings as well as relevant details about personal information collections under their control, in accordance with subsection 5(1) of the ATIA and section 11 of the Privacy Act.

    The current designated repository, as defined by TBS per 4.2.7 of the Policy on Privacy Protection, is known as “Info Source.” Each institution must have a repository and update it annually, as per 4.3.22 of the Policy on Access to Information. TBS centrally indexes these pages to facilitate public access.

    These pages provide information about the functions, programs, activities, and related information holdings of government institutions, including an updated list of the institution’s personal information banks (PIBs), as per 4.2.7 of the Policy on Privacy Protection. A PIB does not actually contain personal information; rather, it describes personal information that is collected, used, or disclosed by the institution in relation to a particular function, program, or activity. The published PIB descriptions, and the descriptions of other classes of information held by the institution may assist individuals in exercising their rights under the Privacy Act to request access to their personal information or exercising their rights under the ATIA to make a request for government records.

    All personal information held by an institution, in its official record keeping system or elsewhere under its control, must be described in these pages: either within a PIB description, or within a description of other classes of personal information held by the institution.

    Personal information held by an institution must be described in a PIB when an institution collects personal information which falls into one of two categories:

    1. Personal information has been used, is being used or is available for use for an administrative purpose, which the Privacy Act defines as being used in a decision-making process that directly affects that individual; or
    2. Personal information is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual. An identifying number could include the Social Insurance Number, Personal Record Identifier (PRI) or any other number. A particular assigned to an individual could include a home or other residential address.

    In accordance with section 11 of the Privacy Act, all PIB descriptions in the repository of information holdings (referred to in the Privacy Act as the “Personal Information Index”) must include the following:

    • the identification and a description of the bank, the registration number assigned to it by the designated Minister pursuant to paragraph 71(1)(b) and a description of the class of individuals to whom personal information contained in the bank relates,
    • the name of the government institution that has control of the bank,
    • the title and address of the appropriate officer to whom requests relating to personal information contained in the bank should be sent,
    • a statement of the purposes for which personal information in the bank was obtained or compiled and a statement of the uses consistent with those purposes for which the information is used or disclosed,
    • a statement of the retention and disposal standards applied to personal information in the bank, and
    • an indication, where applicable, that the bank was designated as an exempt bank by an order under section 18 and the provision of section 21 or 22 on the basis of which the order was made.

    Alternatively, if personal information is being collected, but does not fall into one of the two categories listed above, it must be accounted for in a class of personal information. Personal information may also be collected for non-administrative purposes, for instance, when institutions conduct research activities or statistical analyses. It may not be intended to be retrievable, whether by the name of an individual or by an identifying number, symbol of other particular assigned to an individual. A class of information must be published on the “Info Source” site and include:

    • a description of the class in sufficient detail to facilitate the right of access under this Act, and
    • the title and address of the appropriate officer for each government institution to whom requests relating to personal information within the class should be sent.

    In addition to the institution-specific PIBs and classes described above, there are two additional types of PIBs:

    1. Standard PIBs are created and maintained by the Privacy and Data Protection Division within TBS. They describe personal information that is contained in records of most government institutions to support common internal services. These include personal information relating to human resources management, travel, corporate communications and other administrative services.
    2. Central PIBs describe personal information that may be found in all, or several government institutions, and are maintained by a central federal government department or agency, such as the Public Service Commission, Public Services and Procurement Canada, or TBS. An example of a central PIB is TBS’ Entitlements and Deductions System PIB, TBS PCE 741, that captures pay and benefits data and is used for planning, implementing, evaluating and monitoring government policies.

    For additional information about PIBs or publishing requirements for “Info Source,” please refer to the following guidance:

    1. Info Source Online Publishing Requirements
    2. The Privacy Practices Manual (TBD).

    Individuals may file a complaint to the Privacy Commissioner relating to the Info Source publications.

    4.2 Sources of Federal Government Information Published by TBS

    Subsection 5(2) of the ATIA requires that the designated Minister cause to be published, at least twice a year, a bulletin that updates the annual publication and provides other useful information about the ATIA. In practice, the bulletin, which consists of two publications, also provides useful information on the Privacy Act.

    1. The Statistics on the Access to Information and Privacy Acts publication provides an annual compilation of statistical information about requests made under the ATIA and the Privacy Act, as well as an historic perspective since the promulgation of both Acts. This is supported by requirements set out in 4.3.21 of the Policy on Access to Information and 4.2.34 of the Policy on Privacy Protection to provide TBS with a statistical report on the administration of the respective Acts within the institution.
    2. The Federal Court Decision Summaries publication is an annual summary of Federal Court, Federal Court of Appeal and Supreme Court of Canada cases related to both Acts.

    Subsection 5(4) of the ATIA requires the designated Minister to ensure that the bulletin is made available throughout Canada in conformity with the principle that every person is entitled to reasonable access to the bulletin. This is achieved in practice by publishing the bulletin on TBS’s Access to information and privacy page.

  • Chapter 5 – Right of Access

    Date updated: 2024-12-09
    ATI Manual Cross-reference

    5.1 Introduction

    The Privacy Act gives everyone the right to access their personal information held by government institutions that are subject to the Act.

    Subsections 12(1) and (2) of the Act describe an individual’s right of access to and correction of their personal information under the control of a government institution. Access to an individual’s personal information is provided in accordance with the following principles:

    • individuals should be able to view and, when necessary, request correction of their personal information that a government institution holds
    • necessary exceptions to the right of access should be limited and specific
    • decisions on the disclosure of government information should be reviewed independently of government

    Prior to July 13, 2022, there were specific restrictions on who was eligible to make a request. When the Privacy Act was first enacted, the right of access was provided to every individual who is a Canadian citizen or who meets the definition of “permanent resident” in subsection 2(1) of the Immigration and Refugee Protection Act. However, Privacy Act Extension Order, No. 3, extended the right of access to include all individuals outside Canada to whom that right had not been extended previously.

    For reference, Privacy Act Extension Order, No. 1, extended the right of access to include individuals who meet the definition of “inmate” in section 2(1), Part I, of the Corrections and Conditional Release Act. Privacy Act Extension Order, No. 2, extended the right of access to include all individuals who are present in Canada. The term “present” denoted a physical presence in a geographic location. Although Privacy Act Extension Order, No. 2, did not provide for a minimum time period during which the requester must be present in Canada, it required requesters who were not Canadian citizens or permanent residents to have been physically in the country at the time they submitted the request.

    When making a request using the Personal Information Request Form or the ATIP Online Request Service, individuals still must identify to which of the following groups they belong, for statistical reporting purposes:

    • Canadian citizens or permanent residents
    • foreign nationals present in Canada
    • foreign nationals outside of Canada

    The collection of this data element is to examine how Extension Order No. 3 impacts the access regime on the whole. It has no bearing on the actual processing of the request. All requests should be treated in the same manner, and there is no hierarchy among types of requesters. However, institutions may have additional procedures with respect to identification documents issued outside of Canada (see section 5.2 below for identity verification procedures).

    The right of access applies to personal information recorded in any form that is under the control of a government institution. There is no obligation to create personal information in response to a request under the Act. There are also certain limitations to the right of access to personal information through exemptions and exclusions. (Chapters 3 [pending] and 6 of this manual provide information on the notion of control. Chapters 9 to 11 provide information on exemptions and exclusions.)

    The right of access is exercised under the Act when:

    1. individuals submit a completed request for personal information (see section 6.6.1 of this manual for the requirements of a “complete” request)
    2. the personal information requested is about any of the following:
      1. themselves
      2. someone from whom they have received the authority to make the request on their behalf
      3. someone from whom they have received consent to have the personal information disclosed to them (discussed throughout this chapter)
    3. the information retrieved by the institution in response to the request meets the definition of personal information and the institution has either determined that no exemptions and exclusions of the Act apply, or the personal information can be disclosed in part

    Throughout the processing of a request for access to personal information, the government institution must assess the information provided by the office of primary interest (OPI) in response to the request in relation to the individual’s right of access. For further information on severability, which is implicit to the concept of the right of access, see section 9.7 of this manual.

    5.2 Verification of requester’s right to request access

    Subsection 8(2) of the Privacy Regulations provides that an individual who makes a request for access to personal information must provide adequate identification to the government institution before the information is provided.

    Under the Standard PIB on Access to Information and Privacy Act Requests (PSU 901), the personal information that a government institution may collect for identity verification purposes could include name, contact information, credit card information, identification numbers, social insurance number (SIN) (only specific institutions can collect this) and other processing information related to the request. It could also include personal information contained in institution records that are relevant to the request. For example, the Canadian Revenue Agency (CRA) may ask for specific information on a line of a tax return as part of their procedure to validate the requester’s identity. Institutions should refrain from collecting other types of personal information that are not listed in the Standard PIB.

    Section 4.1.4 of the Directive on Personal Information Requests and Correction of Personal Information requires that institutions establish procedures to:

    • confirm the identity of the requester so that privacy will not be breached
    • confirm the authority of an individual to make a request on behalf of another individual (if applicable)

    In order to limit the risk of a privacy breach, if there is any doubt concerning the identity of the person seeking access, personal information should not be disclosed. Requesters are to be notified that the request will not be processed until their identity can be confirmed, and identity requirements can be communicated in that notice.

    Establishing a right of access through identity verification

    Requesters must provide the following, whether submitting a request by paper, electronically or through the Online Request Service:

    1. Proof of the right of access to their personal information

    Institutions will set out procedures and prescribe required identity documents or personal information from requesters based on the level of sensitivity of the information requested and the level of assurance required to validate their identity.

    Examples of possible acceptable identification documents or identifying numbers assigned to the individual include:

    • passport
    • driver’s licence or enhanced driver’s licence
    • provincial or territorial photo card for non-drivers (excluding health card)
    • certificate of Indian Status (status card)
    • citizenship card or national identity card
    • permanent resident card
    • Nexus card
    • record of landing or confirmation of permanent residence (IMM 5292)
    • immigration documents issued to foreign nationals present in Canada (for example, work permit, study permit, refugee approved status)
    • birth certificate
    • personal record identifier (PRI) for current or former public servants

    The SIN is not an identity document, but it may be requested by specific institutions if the request seeks information about employment, government benefit programs or services, or for taxation purposes. (For additional information on the collection and use of the SIN, refer to the Directive on Social Insurance Number.)

    2. Authorization, if applicable

    • If a requester is making a request on behalf of someone else, they must be authorized to do so.
    • The authorization must be signed and dated by the person authorizing the disclosure of their information.

    3. Consent, if applicable

    • A requester should include the consent of each individual over the age of 16 whose personal information may also form part of the personal information request. TBS form TBS/SCT 350‑60E, Consent for a Personal Information Request Form, is the prescribed form for providing consent. Institutions can advise requesters to use the form as it contains all of the necessary information to demonstrate valid consent. Without this consent, the other individual’s information will likely be redacted.
    • Some institutions may have additional requirements surrounding consent. For example, if submitting a request to Immigration, Refugee and Citizenship Canada, a requester must use the Consent for an Access to Information and Personal Information Request form (IMM 5744).

    There may be a need to task the OPIs and to obtain responsive information for the request to determine how identity may be further validated. For example, if the institution has a file or case associated with the individual, the institution may be able to verify identity by linking the file or case number provided with information contained in the request. Also, it may not be evident until after the information is received by the ATIP office, that consent could be sought. For example, there may be a significant amount of interwoven personal information that was not identified in advance in the request text. See section 10.13 of this manual for additional information on interwoven information (section 26 of the Act).

    For more detailed information on how institutions can meet their obligations to establish procedures to validate the identity of the requester in conjunction with section 4.1.4 of the Directive, refer to Privacy Implementation Notice 2022-02: Identity Verification for Personal Information Requests.

    5.3 Institution’s obligation to exercise due diligence

    The institution can rely on the information provided by the requester unless specific facts indicate that further due diligence is required, for example, if there are discrepancies between the information provided and the information on file. If in doubt, the institution should ask the requester to provide other evidence to confirm their identity, the validity of the consent of the other individual, or the authority to make a request on behalf of another individual.

    5.4 The authority of an individual making a request on behalf of another individual

    Section 10 of the Privacy Regulations reads as follows:

    • 10 The rights or actions provided for under the Act and these Regulations may be exercised or performed
    • (a) on behalf of a minor or an incompetent person by a person authorized by or pursuant to the law of Canada or a province to administer the affairs or estate of that person;
    • (b) on behalf of a deceased person by a person authorized by or pursuant to the law of Canada or a province to administer the estate of that person, but only for the purpose of such administration; and,
    • (c) on behalf of any other individual by any person authorized in writing to do so by the individual.

    For paragraphs 10(a) and (b), the individual making the request must provide supporting documentation, such as power of attorney documents or identify themselves as the legal representative for the individual, living or deceased. The key distinction between these two paragraphs and paragraph 10(c) is that in circumstances involving the personal information of a minor or incapacitated or deceased person, there is likely no method to obtain authorization from the individual themselves.

    For paragraph 10(c), individuals must specify in writing that they wish to have someone else, known as an “authorized representative,” make a request for their personal information on their behalf. In some circumstances, such as when the representative is a lawyer, the authorization may be a standard form provided by the law office. The authorization will be deemed valid only if it clearly indicates the purpose for which the representative is acting on the requester’s behalf. If the authorization is not clear or if the institution has doubts about its validity, the institution should contact the requester. In addition, the older an authorization is, the greater the duty of an institution to verify that it is still valid and has not been revoked. It is best practice to seek confirmation that the authorization is still valid if more than one year has passed, or if the institution has reason to believe that circumstances may have changed.

    While not required, TBS form TBS/SCT 350-55E, Authorizing a Personal Information Request to be Made on Your Behalf Form, is recommended as it contains all of the necessary information for an acceptable authorization.

    5.5 Requests made by current or former officers or employees of a government institution

    Current or former officers or employees of a government institution may make personal information requests. The fact that an individual is or was a public servant is irrelevant with respect to their right of access under subsection 12(1) of the Act to make a request. However, there is a greater likelihood that requests made by current or former public servants will contain information relating to their duties and functions, which, depending on the context of the request, may or may not fall under the exception set out in 3(j) of the Privacy Act. The exceptions set out in definition of personal information are only for the purposes of section 7 (use), section 8 (disclosure), and section 26 (information about another individual) of the Privacy Act and section 19 of the Access to information Act. For further information on how to treat requests that contain both personal and non-personal information, see section 9.8.

    5.6 Fees

    While section 11 of the Access to information Act provides that a requester may be required to pay an application fee, there is no such provision in the Privacy Act. Therefore, fees are not charged for personal information requests or requests for correction.

  • Chapter 6 – Request Processing

    Current as of 2024-12-09
    ATI Manual cross-reference

    This chapter provides guidance to government institutions on processing informal requests for personal information and requests made under the Privacy Act(the Act) within the framework provided by the Act, the Policy on Privacy Protection (the Policy), and related policy instruments. It outlines the steps of the process and identifies other chapters or sections of this manual that provide additional information. Once the institution has confirmed that an individual has a right of access in theory, and has verified the identity of the individual, as discussed in Chapter 5, this chapter will help guide the processing of the request.

    The Treasury Board of Canada Secretariat (TBS) has developed the ATIP Online Management Tool, a secure application for access to information and privacy (ATIP) practitioners. Visit ATIP Online for practitioners for assistance in creating an account and using the tool when receiving and responding to ATIP requests.

    6.1 Duty to assist

    Sections 4.1.8 through 4.1.14 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive) set out the requirements of the head of the government institution or their delegate with regard to the duty to assist requesters. These align with the Principles for Assisting Requesters, which are as follows:

    In processing your personal information request or correction request under the Privacy Act, we will:

    1. Offer reasonable assistance throughout the request process.
    2. Provide information on the Privacy Act, including information on the processing of requests and requesters’ right to complain to the Privacy Commissioner of Canada.
    3. Inform requesters as appropriate and without undue delay when requests need to be clarified.
    4. Make every reasonable effort to locate and retrieve the requested personal information.
    5. Apply limited and specific exemptions to the requested personal information.
    6. Provide accurate and complete responses.
    7. Provide timely access to the requested personal information.
    8. Provide personal information in the format and official language requested, as appropriate.
    9. Provide an appropriate location within the government institution to examine the requested personal information.

    Examples of the types of assistance that may be provided are:

    • explaining access and complaint‑resolution processes under the Act
    • directing requesters to other means of obtaining information
    • acknowledging or clarifying a request
    • when an extension is required, providing a written explanation for the delay to the requester
    • informing the requester of the progress of the request
    • providing interim disclosures

    6.1.1 A note on communicating with requesters

    Throughout the request process, institutions are expected to communicate with requesters in a respectful manner. The same may be expected of requesters. It should be acknowledged that there are times when requesters may be in situations that are stressful or frustrating. While the Principles for Assisting Requesters set out a requirement to offer reasonable assistance, they do not require institutions to tolerate abusive behaviour and communications toward employees. It is recommended that institutions develop internal guidance for ATIP analysts to report interactions that could be characterized as abusive to their team leaders or supervisors. Institutions can consider mitigation strategies to protect their employees. For example, requesters can be informed that further communications will be in writing only, or they can be given a single point of contact instead of more than one ATIP analyst.

    6.2 Submitting a request

    6.2.1 Paper-based personal information requests

    Individuals can use the Personal Information Request Form to obtain copies of their personal information held by government institutions. Requesters can consult Info Source (formerly known as Information about programs and information holdings) to determine which institution is most likely to hold the information.

    6.2.2 Online personal information requests

    In fall 2018, the government launched the Access to Information and Privacy (ATIP) Online Request Service to make submitting ATIP requests faster, easier and more convenient. It is the TBS‑prescribed platform for making requests; therefore, as set out in 4.2.25.1 of the Policy, it must be used by federal institutions, unless an exception is granted. As onboarding to the portal continues, the list of federal institutions that accept ATIP requests through the portal will be updated. Using this method, requesters select the format in which they would prefer to receive the information: electronic to their ATIP Online account; electronic by email, CD, or DVD (depending on size); paper copy; or in‑person examination. See sections 6.17.3 and 6.17.4 of this manual for details on government institutions’ responsibilities with regard to format.

    To make an online request, the requester must provide details about their identity, specify their preferred language and format, and describe their request. They must also provide their contact information, including full name, address and email. Requesters may optionally attach up to five documents to support their request. After the request is submitted, the requester will receive an email confirming that the request has been received.

    Government institutions are responsible for following up with requesters as necessary to obtain adequate proof that the information provided in the online request is true. For additional information on the verification of the right of access, refer to section 5.2 of the manual.

    6.2.3 Transfers

    Requests made under the Privacy Act cannot be transferred to another federal institution with greater interest. If an institution receives a request and does not hold the requested personal information, it will send a formal response indicating this to the requester. See section 6.6.5 for additional guidance.

    6.3 Informal access

    Individuals may also choose to submit an informal request for their personal information. To make an informal request, individuals can contact the government program they have been dealing with or the institution’s ATIP coordinator. The list of ATIP coordinators at each government institution is available online.

    When possible, institutions should provide individuals with informal access to their personal information, as long as it does not contain sensitive information that could be exempted or excluded. However, requesters who submit informal requests to the ATIP Office must be informed that there is no time limit for responding and that they are not entitled to complain to the Privacy Commissioner about the processing of their request. When informal access to the requested personal information cannot be given, the requester should be informed of their rights under the Act and of how their rights may be exercised.

    6.3.1 Informal requests

    Informal requests are made to either the government program the individual has been interacting with or to the ATIP Office, but they are not submitted or processed under the Privacy Act. There are no statutory deadlines for responding, and there is no right to complain to the Privacy Commissioner. Informal requests are defined in Chapter 3 of this manual [pending]. Informal requests do not include requests from employees of the institution acting in their official capacity (for example, requests for performance feedback or performance evaluations).

    6.3.2 Factors to consider when deciding whether to process a request informally

    When determining whether the requested personal information can be disclosed informally, employees should consider factors such as the age and sensitivity of the records, whether the information is in the public domain, whether the issues within have been resolved, whether consultations with other institutions or third parties will be required, and whether the records contain information that is subject to the exemption or exclusion provisions of the Act.

    In some circumstances, it may not be clear whether a request has been submitted formally or informally to the ATIP Office. In such situations, institutions should attempt to provide requesters with their information as soon as possible, which may mean that the institution treats the request as an informal one, provided the requester agrees. For example, institutions may want to respond to requests informally when employees ask their managers to see their employee file rather than ask the employees to submit a formal personal information request. If a requester is not satisfied with what was provided in response to the informal request, they can subsequently submit a formal one.

    6.3.3 Examples

    Examples of requests that can normally be processed informally include requests to obtain the following:

    • personnel files
    • status updates on an application for a benefit or program
    • correspondence containing information or opinions about the individual

    These are guidelines only, and a determination should be made on a case‑by‑case basis.

    6.3.4 Procedures

    Section 4.1.5 of the Directive requires that heads of government institutions or their delegates determine whether it is appropriate to respond to a personal information request on an informal basis, recognizing that the Act is intended to complement existing procedures for obtaining personal information held by government. The same requirement is set out for employees of government institutions under section 4.2.1 of the Directive. When making such a recommendation, employees should consider the factors outlined in 6.3.2 of this manual. When a personal information request is for material that may be provided without recourse to the Act, the requester should be informed that a personal information request is not required, and that the information can be provided in accordance with normal government practice.

    If an informal mechanism is a more appropriate route, pursuant to section 4.1.6 of the Directive, institutions must seek written consent from the requester to proceed this way. In so doing, institutions are to inform the requester that only formal requests are subject to the provisions of the Act. Thus, they would not be entitled to complain to the Privacy Commissioner about the processing of their informal request and there is no time limit to respond.

    6.3.5 Reporting requirements

    Informal requests submitted to ATIP offices are included in the Statistical Report on the Privacy Act. Since fiscal year 2012–13, government institutions have been required to report these requests as supplementary information in their statistical reporting on the administration of the Act.

    Requests for information that are disclosed pursuant to subsection 8(2) of the Act should not be reported as informal requests under the Act; these requests are processed and reported (where applicable) pursuant to Act requirements. For example, requests received from an investigative body pursuant to paragraph 8(2)(e) and disclosures of personal information under paragraph 8(2)(m) are reported in Part 3 of the Statistical Report on the Privacy Act.

    Although internal service requests may have security and privacy implications, they should be reported in a separate section of an institution’s annual report to Parliament if the institution wants to capture all the activities of its ATIP Office related to these requests.

    6.4 Protecting the identity of the requester to a need to know basis

    The name of an individual who has made a request under the Act is personal information, as defined in section 3 of the Act, and can only be disclosed in conformity with the Act. Moreover, section 4.2.23 of the Policy requires institutions to make every reasonable effort to assist with the request; this requirement is independent of the identity of the requester.

    Section 4.2.21 of thePolicy requires institutions to ensure that the identity of a requester is protected and disclosed on a need‑to‑know basis. That is, it is disclosed only to people who need the information to respond to the request or otherwise perform their duties related to a legitimate program or activity. In addition, section 4.1.8 of the Directive requires institutions to limit the disclosure of information that could be used directly or indirectly to identify the requester to persons who need to know the information, unless the requester has given consent to disclosure. Their consent should be in writing and dated.

    Although the name of the individual who is the subject of a request and the records sought can be disclosed internally for purposes of retrieving or correcting records, care should be taken to limit disclosure to individuals who have a need to know to fulfill these purposes. Likewise, the identity of representatives should be protected and disclosed only if there is a clear need to know in order to perform duties and functions related to the administration of the Act. In other circumstances, where the identity of the requester is considered especially sensitive, institutions may want to restrict access within the processing system to only those exercising discretion on final disclosures under the Act.

    The same caution should be exercised to protect the personal information of individuals who make informal requests. ATIP personnel and all employees of government institutions must be mindful of the need to respect the confidential nature of Privacy Act requests.

    Pursuant to subsection 69(2) of the Act, it is not necessary to protect the confidentiality of any personal information that the requester has made public (for example, when the requester has spoken about the request in a public forum or when the media have reported on the request). However, this requirement applies only to personal information that is publicly available. More information concerning this subsection is in Chapter 11 of this manual.

    6.5 Procedures and systems

    Section 4.2.25 of the Policy requires institutions to establish effective procedures and systems to respond to personal information requests to ensure that:

    • requests can be received through the prescribed platform (the ATIP Online Request Services), unless an exception is granted, and can be received in written format by other means
    • requests are processed using prescribed platforms, when platforms have been prescribed, unless an exception is granted
    • deliberations and decisions concerning requests received under the Act are documented
    • the requested personal information is reviewed to determine whether it is subject to the Act, and if it is, determining whether any exemptions apply
    • the principle of severability is applied
    • any consultations necessary for the processing of requests made pursuant to the Act are undertaken

    Pursuant to 4.1.15 of the Directive (use of prescribed platforms), ATIP offices are to receive requests through the ATIP Online Request Service, which is the prescribed platform listed in Appendix D of the Directive. Enterprise‑approved solutions for processing requests are available through established contracting vehicles. However, there is no prescribed processing solution for processing requests at the time of publication of this chapter. Should one be prescribed, institutions would be required to use it pursuant to 4.1.16 of the Directive. TBS will provide sufficient notice before instituting such a change.

    As a best practice, procedures for processing personal information requests should be made available to the public. These procedures may describe:

    • the steps required to process personal information requests
    • the practices of the institution concerning informal access

    6.5.1 Documentation

    It is important that government institutions document decisions taken at each stage of the process, as required by the following Treasury Board policies and directives:

    • Pursuant to Policy on Service and Digital,Footnote 1 deputy heads are responsible for “ensuring that decisions and decision‑making processes are documented to account for and support the continuity of departmental operations, permit the reconstruction of how policies and programs have evolved, support litigation readiness, and allow for independent evaluation, audit, and review.”
    • The Directive on Service and DigitalFootnote 2 requires that institutions support recordkeeping requirements of information resources of business value, including “identifying, establishing, implementing and maintaining designated corporate repositories in which information of business value is managed throughout its life cycle while respecting privacy and security requirements.” Managers are responsible for “informing employees of their duty to document their activities and decisions of business value.” Employees are responsible for “documenting their activities and decisions of business value.” The term “information resources of business value” is defined as "published and unpublished materials, regardless of medium or form, that are created or acquired because they enable and document decision‑making in support of programs, services and ongoing operations, and support departmental reporting, performance and accountability requirements.”
    • Section 4.2.25.3 of the Policy on Privacy Protection requires institutions to document “deliberations and decisions made concerning requests received under the Act.” This documentation may become necessary as evidence during the review process, especially during the review of an institution’s decisions (for example, notices of extension by the Privacy Commissioner).
    • Section 4.1.18 of the Directive on Personal Information Requests and Correction of Personal Information requires institutions to document the processing of requests “by placing on file all documents that supported decisions under the Privacy Act, including communications where factors considered when exercising discretion are discussed, recommendations are given, rationales are provided and decisions are made.”

    The inputs to decisions that should be documented include:

    • factors that were considered when exercising discretion in applying exemptions (information on exemptions and how to exercise discretion can be found in Chapter 9 of this manual)
    • rationales in support of extensions of time.

    6.5.2 Tracking system

    Section 4.1.17 of the Directive requires institutions to establish and maintain an internal management tracking system to keep track of the processing of personal information requests and correction requests; corrections or notations made; complaints; reports and recommendations from the Privacy Commissioner and reviews by the courts. Further, section 4.1.11 of the Directive requires institutions to document “when the wording of the revised request, as agreed by the requesters, and the date of the revision when a request has been clarified or its wording altered.”

    6.6 Analysis of the request

    On the day that a personal information request is received, or as soon as possible thereafter, it must be recorded in the tracking system, including the date of receipt. Institutions are responsible for reviewing the requests available to them through the ATIP Online Management Tool, email or other processing platforms. To avoid missing requests, institutions should review these platforms at least once a day. Institutions may sign up to receive email notifications that a request has been submitted. Further information on the ATIP Online Management Tool , including training and support services, is available online.

    Any requests received through other means, such as email, letter or fax, should be date‑stamped when received.

    On the same day that a request is received, or as soon after as possible, the request should be reviewed to determine whether:

    • the requester has a right of access to the information sought
    • the application is clear and complete and whether the Act’s requirements are met
    • the application was sent to the appropriate government institution
    • the requested information may be obtained informally without recourse to the Act

    Information on the right of access is found in Chapter 5, and information on informal access is found in section 6.3 of this chapter.

    6.6.1 Complete and understandable request

    Formal requests are made under the Actfor access to personal information under the control of a government institution. There are deadlines for responding. In addition, the requester has a statutory right of complaint to the Privacy Commissioner. Formal requests are defined in Chapter 3 of this manual [pending].

    A request for access to personal information meets the requirements of section 13 of the Act and section 8 of the Privacy Regulations (the Regulations), and is considered “complete” if:

    • the request is made in writing using the Personal Information Request Form, the ATIP Online Request System, or alternate formats such as email or on paper
    • the request provides sufficient detail such that the personal information is reasonably retrievable by an experienced employee of the institution. To do so, the request may specify which personal information bank (PIB) is the subject of the request, or which class of personal information if the information is not contained in a PIB;
    • the request is for the individual’s own personal information, as set out by subsection 12(1) of the Act, or pursuant to section 10 of the Privacy Regulations, the request is for access to personal information on behalf of another individual. These requests are limited to exercising the right to access:
      • on behalf of a minor by the administrator of the minor’s affairs
      • on behalf of a deceased person by the administrator of the deceased person’s affairs
      • on behalf of any individual by a person authorized in writing to do so by that individual

    A personal information request is treated in conformity with all applicable provisions of the Act, including the timelines for response, notification requirements, and the right of complaint to the Privacy Commissioner concerning the processing of the request.

    6.6.2 Incomplete request

    The 30‑day statutory deadline for responding to the request (section 14 of the Act) does not start until the request is complete.

    Requests are considered “incomplete” if they are unclear, provide insufficient information, or are overly broad. Such situations can also include those in which the requester does not provide adequate identification.

    Pursuant to section 4.1.9 of the Directive, institutions are to communicate promptly with the requester when necessary to clarify an unclear or otherwise incomplete request. The institution should contact the requester as quickly as possible within 30 days of receiving the request, to clarify the request. The institution should inform the requester of the steps required to complete the request and of the right to complain to the Privacy Commissioner if the requester believes that the wording of the request was already complete. The processing of the request may be on hold if the institution is unable to process the request until the clarification is received. When the requester clarifies their original request, the 30‑day time limit is in effect or resumes the day after the modified request is received. Pursuant to 4.1.11 of the Directive, institutions must document the wording of a revised request, as agreed by the requester, and the date of the revision when a request has been clarified or its wording altered.

    6.6.3 Request for information that relates to another piece of legislation

    The requester should be informed at an early stage if the request is covered by legislation other than the Act. For example, some requests might more appropriately be made under the Access to Information Act, or theCorrections and Conditional Release Act. A clear explanation of the implications and timelines of making the request under those Acts should be given (when known). The legislation pursuant to which the request is most appropriately made will depend on the nature and purpose of the request. However, the individual is not legally precluded from making a request under the Privacy Act.

    6.6.4 Request not sent to the appropriate office

    Personal information requests should be submitted through the TBS‑prescribed platform for receiving requests, the ATIP Online Request Service, pursuant to 4.2.25.1 of the Policy. If the requester opts to send a paper form, it must be submitted to the institution’s ATIP Office. Should a requester send the request to another office of the institution or to the minister’s office, it should be forwarded immediately to the ATIP Office.

    6.6.5 Requests that cannot be processed

    The Act requires institutions to process requests only when it is clear the records are likely to be under the control of the receiving institution. The Principles for Assisting Requesters does not indicate that an institution is required to inform a requester that records may be under the control of another institution. However, institutions are encouraged to inform the requester how to proceed with a request whenever it is possible and reasonable to do so. For example, if the institution knows that the personal information in question might be held by a provincial ministry (for example, birth certificates and land titles), it could inform the requester accordingly. It may also be appropriate to refer the requester to Info Source.

    When requests are sent to an institution that clearly does not have control of the information, such as a request for a copy an individual’s visa application, which should have been sent to Immigration, Refugees and Citizenship Canada but which was submitted to the Impact Assessment Agency of Canada, it is a best practice to open an alternative file type in the electronic processing system. The particulars of the request are documented in the system, but the request is not assigned an official file number. These steps are necessary as these types of requests do not meet the requirements of a formal request and are not captured in the annual statistical report. The institution can describe the steps taken prior to responding. For example, it can note that it does not have control over the personal information based on its inability to locate it as there are no PIBs on the subject and no programs or activities where this type of information is routinely collected within the institution. Appendix A includes a model letter that can be adapted for these types of scenarios.

    6.6.6 Requests for de identified information

    An important privacy‑preserving technique increasingly used in the government is de-identification. It may be used, for example, to mask names in lesson‑learned reports with regard to specific security or harassment events. It can also be used in data sets for Gender‑Based Analysis Plus (GBA Plus), evaluation or other non‑administrative uses. When information is published as an open data set or open information, it must be anonymized to ensure an almost‑nil risk of re‑identification. More information on de‑identification can be found in the Privacy Implementation Notice 2023‑01: De‑identification.

    Records that are de‑identified or anonymized may not be considered reasonably retrievable by the institution if ultimately, they are stored in a manner where individuals are not identifiable as defined in section 3 of the Privacy Act. This may also include records that, by law or regulation, are intended to not identify individuals.

    6.6.7 Clarifying the request

    General information

    Clarifying a request may be helpful to both the institution and the requester. Although institutions are to process requests without value judgments on the nature of the request itself, there are practical considerations with respect to the ability of an ATIP Office to complete all requests received in a timely fashion. Vague and overly general requests unnecessarily increase workloads for institutions and may result in the processing and release of information that is of no interest to the requester. Narrowing the scope of the request may also reduce the time required to process the request.

    Pursuant to section 4.1.9 of the Directive, institutions must adopt a broad interpretation of a personal information request and communicate promptly with the requester when necessary to clarify the request. An institution has no obligation to request clarification of a request that is, on its face, clear. However, in some cases, the request may not sufficiently describe the records sought, may be expressed in overly broad terms because of a lack of knowledge about government operations, or may be unclear because of inaccurate or inconsistent terminology. Given the need to protect the identity of the requester, a reasonable approach should be taken when interpreting and tasking a request for personal information. Only those offices of primary interest (OPIs) and employees in them who have a need to know should be tasked with searching for records, especially if they could directly or indirectly identify the requester.

    Pursuant to section 4.1.10 of the Directive, an institution should assist the requester in reformulating a request where it would result in the requester receiving more complete, accurate and timely access. The institution and the requester should discuss possible alternative wording that will make the request clearer for the subject‑matter experts who may have records relevant to the request and for the ATIP personnel who will process the request. The institution’s Info Source website can be used to help clarify requests.

    Institutions may also help the requester define the subject of the request, the specific types of records of interest, and the time period for which records are being requested. For example, a requester might ask for “all emails with my name in them held by the Treasury Board of Canada Secretariat.” The requester is likely interested in emails about a specific event. In this case, the institution should clarify whether the request covers every time the individual’s name appears in an email distribution list, whether only select individuals at TBS should be tasked with the request, whether emails on a specific topic should be the focus, or whether particular months are of interest. Following the clarification, the date range could be narrowed and specific individuals could be tasked. The scope of the request could be broadened at a later date, as needed.

    If the request remains unclear after the institution has provided all possible reasonable assistance in clarifying the request, the institution is not expected to seek further clarification. Section 13 of the Act imposes an obligation on the requester to either identify the PIB in which the information is contained (if requested under 12(1)(a)) or to provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution (if requested under 12(1)(b)). In Leahy v. Canada (Citizenship and Immigration), 2012 FCA 227, the Federal Court of Appeal concluded that given the requester’s failure to provide more specific information on the location of the requested personal information when invited to do so, Immigration, Refugee and Citizenship Canada’s decision to limit the scope of the request was reasonable.

    In cases where some elements of a request can be clearly identified, they should be processed in the usual way, and the institution should explain to the requester why it cannot process the remaining elements.

    After a request has been clarified, the information being requested should be evident to both parties. Pursuant to 4.1.11 of the Directive, institutions must document the wording of a revised request, as agreed by the requester, and the date of the revision when a request has been clarified or its wording altered. In other words, the institution must confirm, in writing, its understanding of the revised request. This confirmation will provide a definite reference point for the date processing began or continued and will document the agreement between the institution and the requester about the nature and scope of the request that has been clarified. Furthermore, the deadline for responding to the request may be changed to take into account the clarification or modification.

    Asking for more information

    The purpose of asking for more information from the requester is to clarify the nature of the information sought, not to discover the reasons for the request. The requester should be assured that there is no obligation to disclose the nature of their interest as a precondition for exercising the right to personal information and that they will not be treated differently if additional information is not provided. Furthermore, institutions should be careful not to ask questions that could be interpreted as dissuading the requester from proceeding with the request. Institutions should be prepared to explain to the requester why they are asking for more information.

    Requesters cannot reasonably be expected to possess identifiers (for example, a file reference number or a description of a particular record) unless this information has been made available. To help a requester clarify a request, an institution might:

    • provide an outline of the different kinds of information that might exist in relation to the request
    • refer the requester to the institution’s website and to its Info Source page
    • ask the requester for information on the status of their file (For example, if it was an application for a service, was it just submitted or is it likely nearing approval. This information can assist in determining who within the institution is most likely to have the most up‑to‑date and accurate information.)

    The above examples are not exhaustive, and institutions should be flexible in offering advice and assistance appropriate to the circumstances of the requester in accordance with the “duty to assist.”

    Records previously released

    Due to the protected nature of personal information requests, personal information that has been released for one individual’s request cannot be released as part of a personal information request for another individual.

    In the case where an individual has submitted a repeat or follow‑up request for their own information multiple times, it may be appropriate to reuse the same records that were released. However, new circumstances may affect a decision to release or withhold a record. Each record must be judged in relation to the exemption provisions that apply at the time of the new request. It is furthermore necessary to consider the wording of the new request. While there may be some records relevant to both the original request and the new request, it is also possible that there will be records released in the original request that are not relevant to the new request, and vice versa. Each new request should be reviewed carefully to guarantee a complete response, while avoiding the inclusion of records that are not of interest to the requester.

    Amending the request

    The requester may want to amend their request to narrow the scope to include only records of interest or to otherwise modify the request. Alternatively, an institution could propose to the requester to split a request into several smaller requests based on time frame, type of record, or subject. In some cases, the deadline for responding to the request may shift to a later date depending on the length of time it took to clarify this. In other cases, narrowing the scope of a request or splitting a request into smaller requests may enable more timely access to some or all of the information that is of interest to the requester. All of the particulars surrounding the amendment should be documented in the tracking system, in accordance with section 4.1.11 of the Directive, and the new due date should be calculated automatically. The requester should be informed of any change in timelines and of other consequences of amending the request.

    6.7 Acknowledging the request

    Pursuant to 4.1.7 of the Directive, the institution must acknowledge receipt of a request. This should be in writing at the earliest possible date and no later than 30 days after receipt.

    The acknowledgement must include:

    • the legislative due date for the response
    • the contact information of the appropriate officer within the institution to whom questions and requests for further clarification may be addressed
    • notification of the right to complain to the Privacy Commissioner
    • a copy of the Principles for Assisting Requesters or the link to them online

    The acknowledgement may also indicate:

    • that the request has been received, the date it was received, and that processing has begun
    • or
    • that the request is not clear or precise enough and that more information is needed before processing can begin, that the request will not be considered complete and actionable until additional information is provided, and that it will be abandoned if a reply is not received by a set date

    Given the operational constraints faced by many institutions, it is a best practice to send the acknowledgement letters or emails as soon as possible. Doing so can alleviate concern on the part of the requester as to whether the institution actually received the request, can prevent follow‑up inquiries that require additional institutional resources to address, and can avoid many resources being dedicated to answering those inquiries. Acknowledgement letters also clarify the date the request was received by the institution (as opposed to the date on which the requester submitted it) along with the legislative due date. For institutions that opt to not take an extension on a request or that miss the opportunity to do so, the acknowledgement letter or email will at a minimum provide the requester with the understanding that the institution is in deemed refusal.

    Model acknowledgement letters can be found in Appendix A.

    6.8 Search of the relevant records

    Section 4.2.22 of the Policy requires institutions to make every reasonable effort to help applicants receive complete, accurate and timely responses to requests made under the Act, which means that the institution must be able to locate the requested personal information quickly. Section 4.2.2 of the Directiverequires employees of government institutions to make every reasonable effort to locate and retrieve the personal information under the control of the government institution. Pursuant to section 4.2.3 of the Directive, they are also to ensure that searches for records are comprehensive and consider both the letter and the intent of the request.

    Unless the personal information sought is clearly outside the institution’s mandate, the institution should follow its established procedures for all personal information requests and confirm with the OPIs and their central records offices (if applicable) whether any relevant records exist. When an institution has conducted a previous search in response to a similar request, the institution must conduct a completely new search when there is any possibility that the current request is not for the same personal information. If the previous search was for the same information but for a later time period, the institution must search for records that may have been created since the previous search.

    A search for responsive records must consider all records under the control of the institution, regardless of medium or form. Institutions are to establish procedures consistent with case law and with TBS guidance to determine whether the personal information is under their control pursuant to 4.2.19 of the Policy. They are to follow these established procedures to determine whether the personal information is under the control of the government institution, pursuant to 4.1.19 of the Directive. If employees have questions about whether the personal information is under the control of the government institution, they are to refer these questions to the ATIP officials with delegated authority for their determination, pursuant to 4.2.4 of the Directive. See Chapter 3 [pending]of this manual for the more information on the notion of control.

    An institution must search all active and dormant locations where relevant records might be found, including offices of individuals, regional offices, offices located in other countries, and off‑site locations such as public or private storage facilities. The institution may also have to search for records that are under its control but in the hands of a third party (for example, records maintained by agents, consultants or other contracted service providers). An institution does not need to search for records under the control of other government institutions.

    Sometimes an institution may not have the ability to retrieve and process records easily (for example, if damaged records are being restored and it will take several weeks before they are available). As a best practice, the requester should be informed of any unexpected delays.

    Another good practice to ensure the completeness of the search is to ask the OPIs involved in retrieving the records if they are aware of other branches and sectors of the institution holding records that may be responsive to the request.

    In the event of a complaint about the adequacy of the search, the institution should be able to describe the steps taken to identify and locate responsive records. This includes documentation of the search terms and parameters used in retrieving electronic records.

    Search of backup servers

    A search of the institution’s backup servers could be contemplated to locate records responsive to a personal information request in exceptional circumstances. Although, in the case of Oleynik v. Canada (Privacy Commissioner), 2016 FC 1167, the Court upheld that the request to search backup servers was not reasonable, institutions can be presented with arguments by the requester to meet both the criteria of “sufficiently specific” and “reasonably retrievable” by the institution.

    Search of servers administered by Shared Services Canada

    As explained in section 3.4.6 [pending] of this manual, Shared Services Canada administers information technology services for 43 federal organizations, and for itself. The records of these organizations still remain under their own control, as stipulated in section 16 of the Shared Services Canada Act. Data housed in servers managed by Shared Services Canada is segregated, and institutions retain access rights to their own data. Institutions continue to be responsible for the creation, maintenance, use, disclosure and disposal of their electronic information holdings. Processing personal information requests also remains the responsibility of each institution’s ATIP Office.

    ATIP offices should direct any requests for server searches to their Chief Information Officer (or equivalent), who is the point of contact between the institution and Shared Services Canada. Shared Services Canada will give the institution sufficient access to conduct its own search for responsive records.

    Gathering records from ministers’ offices

    The office of a minister is not part of the department over which the minister presides, and normally, records held exclusively in a minister’s office are not subject to the Act. In Canada (Information Commissioner) v. Canada (Minister of National Defence), 2011 SCC 25, [2011] 2 S.C.R. 306 concerning the relevant provisions of the Access to Information Act, the Supreme Court of Canada confirmed that the office of a minister is not part of the department over which the minister presides and that records held exclusively in a minister’s office are generally not subject to the Act. However, a document held exclusively in a minister’s office will be deemed to be under the control of a government institution if the following two‑step test is satisfied:

    1. The content of the record relates at least in part to an institutional matter.
    2. The government institution could reasonably expect to obtain a copy of the record upon request.

    If a record meets the first step of the control test, the test continues to the second step.

    The second step is an objective one to be assessed on a review of all relevant factors, including:

    • the substantive content of the record
    • the circumstances in which it was created
    • the legal relationship between the government institution and the record holder

    The Supreme Court of Canada also stated the following in Canada (Information Commissioner) v. Canada (Minister of National Defence), 2011 SCC 25, [2011] 2 S.C.R. 306:

    • “There is no presumption of inaccessibility for records in a minister’s office.”
    • “[The] test does not lead to the wholesale hiding of records in ministerial offices.”

    A record in a minister’s office that falls within the scope of a personal information request must be processed when it meets this test. This requirement does not mean that a request always entails a search for relevant records in the minister’s office. The ATIP Office must ask the minister’s office to search for relevant records only when there are reasonable grounds to believe that the minister’s office has relevant records that would be under the institution’s control, as described above.

    For example, if an institution receives a request pertaining to an individual who had applied for a benefit from the institution and who had subsequently contacted the minister’s office pertaining to that application, it is recommended that the ATIP Office consult its legal advisors when considering whether to request that the minister’s office search for relevant records.

    The search for responsive records does not need to be conducted personally by the minister or their delegate under the Act. Although a member of the minister’s exempt staff may conduct the search, they cannot decide whether the records are relevant and under the control of the institution. The minister or their delegate must make the final determination.

    6.9 Creating records to respond to a personal information request

    Broadly, there are three categories of personal information recorded in any form in institutions:

    1. those that exist and are under the control of the institution at the time of the request
    2. those that exist (and are under the control of the institution) but only in a machine‑readable form or a database
    3. those that do not exist

    Institutions have a duty to make every reasonable effort to respond to a request accurately and completely, whether or not the requested record already exists (pursuant to section 4.2.23 of the Policy and sections 4.2.2 and 4.2.3 of the Directive). This is referred to as the “duty to assist.”

    Transcriptions of audiotapes, videotapes or handwritten notes

    Subject to considerations relating to subsection 17(3) of the Act, when a requester has a sensory disability, the Act does not require institutions to prepare a transcript of an audiotape or videotape if one does not already exist. However, given the passage of time and the advancement of software, institutions may want to adopt a practice to create these records. The institution might consider discussing with the requester whether this approach would meet their needs.

    It is usually not necessary to transcribe handwritten notes. A transcription would create a new record, and if the notes were hard to read, the institution would be unable to guarantee accuracy. However, it may be appropriate to transcribe illegible handwritten notes if the author is still an employee of the institution and is able to decipher the notes despite the passage of time.

    6.10 Preparing the processing file

    Once the records have been located, either the program area or the ATIP Office prepares them for review for responsiveness and the possible application of exemptions and exclusions. When preparing the processing file, the following issues should be addressed:

    • Do the records gathered respond to the request?
    • Are there other records referenced in the located records (for example, attachments) that might be relevant and have not yet been located?
    • Does it appear that records may be found in program areas other than those already identified, and should the search be widened?
    • Are the copies legible?

    Best practices include placing responsive records in chronological order and removing all duplicates and records that are not relevant to the request.

    6.11 Applying the provisions of the Privacy Act

    After the records have been retrieved and the processing file has been created, the records are reviewed, line by line, to determine whether they can be disclosed or whether exemption or exclusion provisions apply. Chapters 910 and 11 of this manual contain detailed information on the application of exemptions and exclusions in general; they also provide advice and interpretation on each exemption and exclusion provision.

    During this step, the ATIP analyst also considers whether an extension of the time limits is necessary (see section 7.2 of this manual).

    6.12 Exercise of discretion

    In the ATIP context, discretion consists of the power given to the head of an institution or their delegate to make a decision. They must act in good faith and consider the relevant facts and circumstances. This includes the purpose and the proper application of the Act.

    Multiple provisions of the Act that relate to the processing of a request require the exercise of discretion. Specifically, the Act gives the head of the institution the power to make a decision on:

    • the extension of the time limit
    • the application of discretionary exemptions

    6.12.1 Requirements of the Policy and the Directive

    The heads of government institutions or their delegates are responsible for:

    • exercising discretion under the Act and associated regulations in a fair, reasonable and impartial manner with respect to decisions made in the processing of requests and the resolution of complaints pursuant to the Act, as prescribed in section 4.2.20 of the Policy
    • exercisingdiscretion in a fair, reasonable and impartial manner after completing the following steps, as prescribed in section 4.1.1 of the Directive:
      • considering the purpose of the Act, which is, in part, to provide individuals with a right of access to their personal information, subject to limited and specific exemptions; and the right to request correction of their personal information
      • considering all relevant factors for and against disclosure, the relevant provisions of the Act, as well as applicable jurisprudence
      • consulting with government institutions, as necessary
      • reviewing the information contained in records
    • documenting the processing of requests by placing on file all documents that support decisions under the Privacy Act, including communications where factors considered when exercising discretion are discussed, recommendations are given, rationales are provided and decisions are made, as prescribed in section 4.1.18 of the Directive

    6.12.2 Rules for the exercise of discretion

    Discretion is not absolute. Several court decisions on the closely related Access to Information Act address how discretion should be validly exercised. These decisions include Attaran v. Canada (Foreign Affairs), 2011 FCA 182, Leahy v. Canada (Citizenship and Immigration), 2012 FCA 227, and Ontario (Public Safety and Security) v. Criminal Lawyers’ Association, 2010 SCC 23. They can be summarized as follows.

    1. Discretion must be exercised:
      • by the head of the institution or their delegate
      • on reasonable grounds
      • freely (the decision maker must act on their own judgment and not under the dictation of anyone else)
      • in a fair, reasonable and impartial manner (there must be an absence of bad faith, which includes self‑interest, undue favour or animosity on the part of the decision‑maker)
    2. When exercising a discretionary power, the decision‑maker must:
      • act in good faith
      • consider all relevant factors and disregard irrelevant ones
    3. The discretionary power must not be used for an improper purpose. Discretion must be exercised in conformity with the letter and spirit of the statute and according to its true purpose and requirements.
    4. The decision‑maker must exercise their discretion in each case. In each instance, the merits of that case, and not a rigid policy laid down in advance, must be the determining factor. General guidelines may be laid down in advance, as long as the decision‑maker still considers the merits of each case in light of the guidelines and is prepared to make exceptions in appropriate cases.

    6.12.3 Additional information

    There may be exceptional circumstances where it is acceptable to always exercise discretion in the same manner, as described in Ruby v. Canada (Solicitor General), 2004 FC 595 (paragraph 14). In this case, the requester had sought access from the Department of External Affairs to his personal information contained in a PIB related to ongoing investigations. The Court ruled that, given the factual circumstances of the case, it was a reasonable exercise of discretion to adopt a general policy of never confirming the existence of information in the PIB in question.

    Absent exceptional circumstances, each request should be assessed on its own merit, allowing precedents to serve only as guidance in determining whether to disclose the requested information. Accordingly, the basis for the final decision to apply an exemption should include the results of the review of the personal information, the results of any consultations and, where necessary, the opinion of the institution’s legal advisor.

    Section 9.4 of this manual provides additional information on the exercise of discretion when applying exemptions, including factors that are relevant when exercising discretion (for example, the purpose of the Act, the context of a request and the public interest).

    6.13 Consultations

    Consultations with officials of the institution, other government institutions or third parties may be necessary for the informed application of the exemption and exclusion provisions of the Act, and for the proper exercise of discretion.

    The courts have recognized the importance of consultations. For example, in Do‑Ky v. Canada (Minister of Foreign Affairs and International Trade), (T.D.) [1997] 2 F.C. 907 which deals with a parallel issue under the Access to Information Act, the Federal Court said, “…it is not a fettering of discretion to seek advice from the government departments most knowledgeable and directly involved with the situation at hand. In fact, not to do so would be irresponsible.”

    6.13.1 Requirements of the Policy and the Directive

    The heads of government institutions or their delegates are responsible for:

    • establishing effective procedures to ensure that any consultations necessary for the processing of requests made pursuant to the Act are undertaken promptly, as prescribed in section 4.2.25.6 of the Policy
    • consulting the institution’s legal counsel, in compliance with established procedures, prior to excluding confidences of the King’s Privy Council for Canada (section 70 of the Act), as prescribed in section 4.2.26 of the Policy
    • exercising discretion in a fair, reasonable and impartial manner after consulting with government institutions, as necessary, as prescribed in section 4.1.1.3 of the Directive
    • undertaking inter‑institutional consultation only when the processing institution requires more information for the proper exercise of discretion to withhold information or the processing institution intends to disclose sensitive information, as prescribed by section 4.1.24 of the Directive
    • ensuring that consultation requests from other federal government institutions are processed with the same priority as its own personal information requests, as prescribed by section 4.1.25 of the Directive

    It is a valid exercise of discretion to consult other parties and to adopt their recommendations, as long as this is done freely and not because the decision maker feels bound by the recommendations.

    6.13.2 Internal consultations

    In most cases, the views of employees of the OPIs are required to make an informed decision on disclosure. Section 4.2.7 of the Directive requires employees of government institutions to provide recommendations and contextual information to inform the head of the government institution, or their delegate, about possible exemptions or exclusions applicable to the personal information requested, taking into account the purpose of the Act.

    OPIs provide recommendations either at the time of retrieving the relevant records or when consulted by the ATIP Office. OPIs should provide background information necessary to put the information in context by explaining, for example, the circumstances relevant to the records (for example, that they were created for the purpose of briefing the minister or in contemplation of litigation), whether they are early drafts or final documents, or whether they contain unsubstantiated information. They should also give their assessment on the sensitivity of the records and provide justification for any recommendation for non‑disclosure. Individual institutions may have different procedures in place with their OPIs with respect to this process and how detailed the recommendations need to be.

    6.13.3 Consultations with other government institutions

    Requests for consultation should be sent to the ATIP Coordinator of the government institution being consulted. To assist the institution being consulted and to reduce the time required to complete the consultation process, the referring institution may consider adopting the following best practices:

    • Complete any consultations with Legal Services for potential cabinet confidences prior to sending the records to other government departments and agencies (OGDs). (Excluded records cannot be exempted, therefore the consultation would be moot.)
    • Include only records that are relevant to the request and that are of interest to the institution being consulted unless more records are necessary to provide context.
    • Sort documents in chronological order and remove duplicates.
    • Provide a preliminary assessment that:
      • indicates whether exemption or disclosure of the documents is considered appropriate
      • provides the rationale underlying that position, including contextual information and the specific exemptions considered applicable
    • Inform the institution if concurrent consultations with any OGDs are taking place.
    • Allow sufficient time for the institution to respond to the consultation request. A reasonable response time should be negotiated when required.
    • Coordinate, if both institutions are processing the same or similar requests simultaneously.

    When the OGD being consulted has recommended an exemption of certain information and the decision is to nonetheless disclose, the consulted institution should be informed of the decision before disclosure.

    Recognizing the importance of the consultation process, section 4.1.25 of the Directive requires that institutions give the same priority to consultation requests from other government institutions as they do to ATIP requests they receive directly.

    Special consultation protocols may be established between government institutions to address routine requests that involve a large volume of information, if consultations are frequent or in cases of certain categories of records. These arrangements should be documented and should meet the requirements of any applicable policy instruments.

    Consultations with respect to sections 21 (international affairs and defence), 22 (law enforcement and investigation), and 23 (security clearances) of the Privacy Act

    Previously, there was a requirement under the Directive to consult Global Affairs, National Defence or the law enforcement or investigative body that obtained or prepared the information if sections 21, 22 or 23 of the Act were being considered. This resulted in these institutions being consulted on requests in which no disclosure was being proposed. As mentioned in section 6.13.1 of this manual, the latest version of the Directive has been revised. Section 4.1.24 now requires that institutions be consulted with regard to any exceptions only when:

    • the processing institution requires more information for the proper exercise of discretion to withhold information
    • the processing institution intends to disclose sensitive information

    Sensitive information is defined in the Policy on Government Security as “information or asset that if compromised would reasonably be expected to cause an injury.” This injury could be to an individual, an organization or a government.

    If a consultation is received by one of these institutions or by any other institution and it is not evident that one of the two criteria has been met, the institution is not obliged to process the consultation and should reply accordingly to the requesting institution.

    Mandatory consultation with respect to section 70 (confidences of the King’s Privy Council for Canada) of the Privacy Act

    As mentioned above, section 4.2.26 of the Policy requires that heads of government institutions or their delegates consult their institution’s legal counsel, in compliance with established procedures, prior to excluding Cabinet confidences.

    6.14 Notices

    The Act requires government institutions to give written notice to the requester during the processing of a personal information request.

    Response to the request

    Section 14 of the Act requires that government institutions “subject to section 15, within 30 days after the request is received, give written notice to the individual who made the request as to whether or not access…will be given.” Pursuant to section 4.1.29 of the Directive, institutions are to provide written notice to the requester of whether access is being granted. The 30 days allowed by the Act are calendar days, as provided for in subsection 27(5) of the Interpretation Act.

    Pursuant to section 4.1.30 of the Directive, an institution is to provide access to the information or part thereof, or to notify the requester if access is refused. If access is refused, the institution must state, in accordance with section 16 of the Act:

    • that the personal information does not exist
    • or
    • the specific provision of this Act on which the refusal was based or the provision on which a refusal could reasonably be expected to be based if the information existed

    As a general practice, the exemptions applied to specific portions of a record to be disclosed in part should be indicated in the margin of the record. A covering letter listing the exemptions might be more appropriate when, for example, the notation in the margin might in and of itself cause injury. Institutions may provide the requester with a copy or a link to the Privacy Act: Plain Language Guide to Exemptions and Exclusions, when records containing the requested personal information are provided. The institution must also notify the requester of their right to complain to the Privacy Commissioner in respect of matters relating to personal information requests, pursuant to 4.1.31 of the Directive.

    Indicating existence of information (neither confirm nor deny)

    When no personal information is to be disclosed to the requester, either because it does not exist or because it is exempted or excluded, subsection 16(2) of the Act provides that an institution may, but is not required to, indicate whether personal information exists. Such refusals to indicate the existence of personal information are reserved for situations where acknowledging the existence of the information could in itself disclose exemptible information to the requester. This is a situation that is most likely to arise in relation to security and law enforcement. In these circumstances, paragraph 16(1)(b) requires that the refusal notice to the requester indicate the provision on which refusal of access to the information could be based if the information existed.

    An example is an applicant who wants to know whether they are the subject of an investigation by an investigative body and files a request pursuant to subsection 12(1) of the Act for the disclosure to them of their personal information. In such a case, merely revealing whether the institution had information about the applicant may disclose whether they were a subject of investigation. Therefore, the head of the institution or their delegate may indicate to the applicant that they neither confirm nor deny the existence of the information, but that if the information existed, it would be exempted under paragraph 22(1)(a) (or another provision, as applicable).

    Extension

    A notice of extension must be sent within 30 days of the receipt of the complete request (see section 6.6.1 for what is considered a complete request). The notice must stipulate the length of the extension, which must be for no more than 30 days when the extension is claimed under paragraph 15(a), or for a reasonable period of time under paragraph 15(b). The notice must also inform the requester of their right to complain to the Privacy Commissioner about the extension. For more information, see Chapter 7: Time Limits.

    Extensions should not be taken when the institution intends to invoke subsection 16(2) of the Act. In Ternette v. Canada (Solicitor General) (T.D.), [1992] 2 FC 75, an inadvertent public admission of the existence of information necessitated a further review of material maintained in exempt bank and portions of personal information were released to the applicant. Although an institution may have a large volume of pages related to the request, the requester cannot be made aware of a page count, as this would confirm the existence of records that the institution intends to neither confirm nor deny the existence of.

    The following table summarizes the notices government institutions must give to requesters, as well as notices the Privacy Commissioner must give to requesters and to government institutions.

    Recipient Statutory provision Critical date Purpose
    Requester Response to a request: sections 14 and 16 30 days from receipt of complete request, subject to section 15 Government institution to indicate whether access is to be given. When access is not given, the notice should inform the requester of the right to complain to the Privacy Commissioner and identify the provision of the Act pursuant to which the refusal is based.
    Extension of time limits: section 15 30 days from receipt of complete request Government institution to indicate time extension
    Report to complainant: subsection 35(2) Upon expiration of time given for notice under paragraph 35(1)(b) Privacy Commissioner to report results of investigation
    Right of review: subsection 35(5) Upon expiration of time given for notice under paragraph 35(1)(b) Privacy Commissioner to notify complainant of right to apply to the Federal Court where institution does not give access
    Government institution Notice of intent to investigate: section 31 Before commencing investigation Privacy Commissioner to notify institution of complaint, its substance and intent to investigate

    Model extension letters can be found in Appendix A of the manual.

    6.15 Preparing the records for disclosure

    6.15.1 Severing records

    It is important to ensure that the requester cannot retrieve severed information.

    For electronic records, inadvertent disclosure may occur in several ways. It is difficult to completely remove information from most electronic media, and several computer programs allow the retrieval of previous versions of an electronic document. Institutions must ensure that electronic severance is permanent before disclosing the records. Procedures for producing severed electronic documents should be followed consistently to reduce the risks of inadvertent disclosure.

    For records in paper format, protected information is sometimes blacked out with a marker, redacted using a special photocopier, or masked and then recopied. Institutions must ensure that the severed information cannot be read on the copy given to the requester.

    6.15.2 Marking exemptions

    Section 9.10 of this manual provides information on marking exemptions.

    6.16 Approval

    After all consultations and notifications have taken place and the review of the records has been completed, the head of the institution or the delegate makes a decision on disclosure or non‑disclosure of the relevant records that contain personal information.

    6.17 Responding to the request

    Once the head of the institution or the delegate has decided which records should be disclosed (see section 6.15 of this manual), a response is sent to the requester. This section provides information about the contents of the response letter; the language; the method and format of access; and access by people with sensory disabilities.

    6.17.1 Response letter

    As mentioned in section 6.12 of this chapter, section 14 of the Act requires that government institutions “subject to section 15, within 30 days after the request is received, give written notice to the person who made the request as to whether or not access…will be given.”

    If access is given, the institution must give access to the record or part thereof.

    If access is refused, section 16 of the Act requires the institution to state:

    • that the personal information does not exist

      or

    • the specific provision of this Act on which the refusal was based or the provision on which a refusal could reasonably be expected to be based if the information existed

    The institution must also inform the requester of the right to complain to the Privacy Commissioner about the refusal.

    In Leahy v. Canada (Citizenship and Immigration), 2012 FCA 227, the Federal Court of Appeal found that Immigration, Refugees and Citizenship Canada had failed to provide an evidentiary basis sufficient to permit the Federal Court or the Federal Court of Appeal to properly review the decision to withhold information. In a postscript, the Federal Court of Appeal reiterated what is sufficient information for a reviewing court to discharge its role. The Federal Court of Appeal indicated that this could be achieved by ensuring that the decision letter or the court record contains the following information:

    1. who decided the matter
    2. their authority to decide the matter
    3. whether that person decided both the issue of the applicability of exemptions and the issue of whether the information should, as a matter of discretion, nevertheless be released
    4. the criteria that were taken into account
    5. whether those criteria were or were not met and why

    The Court stated that “in many cases, in perhaps no more than a few lines, the decision letter can address items (1), (2) and (3). Similarly, it is an easy matter for the decision letter to address item (4).… As for item (5), this information may be evident from the documents themselves.”

    Section 9.11 of this manual provides information on disclosing the existence of records.

    Section 6.14 of this manual examines the requirements for explaining the reasons for refusal and the records disclosed.

    Model response letters can be found in Appendix A of the manual.

    6.17.2 Language of access

    An institution needs to respond to a request in only one of the two official languages, as chosen by the requester. The response to a request for personal information is a service to the public under the Official Languages Act, and correspondence and communications with the requester should be in the official language of the requester, in accordance with that Act. Regarding the language of the personal information that is responsive to the access request, the Privacy Act specifies that if the person requests access in a particular language, the information will be translated if translation is necessary for the requester to understand the information. However, if the personal information exists in both languages, it should be given in the language requested, in accordance with paragraph 17(2)(a) of the Privacy Act.

    Paragraph 17(2)(b) of the Act requires the head of an institution to cause the personal information requested to be translated or interpreted if the translation or interpretation is necessary for the individual to understand the information. Section 4.2.23 of the Policy requires institutions provide the personal information in the official language requested, in accordance with subsection 17(2) of the Act. Section 4.1.13 of the Directive requires institutions to provide the personal information in the official language requested by the requester, including translating or interpreting the personal information when necessary to enable the individual to understand the information.

    The determination to prepare or deny a translation should be made by the head of the institution or the delegate on a case‑by‑case basis, according to the circumstances of the request. There would likely not be a need, for example, to seek a translation of a form that was supplied by the requester to the institution or of a chain of emails, in which the requester is in carbon copy, that forms part of the responsive information in the request.

    Government institutions should ensure that access is formally granted within the time limits set by the Act. When a translation is to be prepared and it appears that it cannot be completed within a reasonable period of time within the original or extended statutory deadline, the institution should inform the requester that:

    • access has been granted
    • a translation is being prepared and the date it is expected to be complete
    • the records, as they currently exist, may be examined or copied without having to wait for the translation

    The requester should also be provided with any other information the institution is required to communicate to them according to the prescribed notices described in section 6.14 of this manual.

    6.17.3 Method of access

    Subsection 17(1) of the Act requires that a person who is given access to personal information or a part thereof shall be given an opportunity to either examine the information or part thereof or be given a copy thereof, subject to any regulations made under paragraph 77(1)(o).

    When making a formal request under the Act, requesters are asked to indicate whether they would prefer to receive copies or to examine the records in person. Requesters who use the ATIP Online Request Service must select the format in which they would prefer to receive their request: electronic to their ATIP Online account; electronic by email, CD, or DVD (depending on size); paper copy; or in‑person examination. Similarly, the Personal Information Request Form asks requesters to choose between receiving paper or electronic copies or examining the records in person.

    Pursuant to 4.1.12 of the Directive, when a copy of the personal information cannot be made available, institutions are to provide an appropriate location and time within the government institution for the requester to examine the records containing the personal information.

    When processing requests, institutions always work with copies of the relevant records rather than with the originals to maintain the integrity of the original records. When access is granted, the person making the request obtains or examines a copy of the records.

    Copy of records

    If the person requests to examine the records in person, the institution may refuse the request in the following circumstances:

    • The record is disclosed in part, and the portion for which disclosure may be refused cannot reasonably be severed from it.
    • The record is in a form that does not readily lend itself to examination.

    In either of these circumstances, a copy of the records containing the personal information is provided to the person making the request.

    Examination of records

    The institution may require the person making the request to examine the records disclosed rather than to obtain a copy in any of the following circumstances:

    • The record or part thereof is so lengthy that reproduction of the record or part thereof would unreasonably interfere with the operations of the institution.
    • The record is in a form that does not readily lend itself to reproduction.
    • Providing a copy is prohibited under another Act of Parliament.

    Section 9 of the Regulations provides that if the requester is given an opportunity to examine the records, the head of the institution shall provide reasonable facilities for the examination and set a time for the examination that is convenient for the institution and the individual.

    6.17.4 Accessible format for requesters

    Given the age of the Act, some of terms relating to accessible format do not capture the government’s current definitions of barriers and disability. For example, while the Privacy Act refers to formats for persons with a “sensory disability,” the Accessible Canada Act uses “disability” for greater inclusivity. Institutions are advised to interpret this section broadly.

    When a person who has a barrier to access asks that information be provided in an alternative format and the record already exists in a format that is acceptable to that person, paragraph 17(3)(a) of the Act provides that access must be given. At present, alternative formats refer to different formats of presenting printed or electronic documents. Alternative formats can include audio, braille, electronic or large‑print versions of standard print.

    When the record already exists in more than one alternative format, institutions should give access in the format preferred by the person. If the record does not exist in an alternative format that is acceptable to the person, the head of the institution will, in accordance with paragraph 17(3)(b) of the Act, cause the information to be converted if the conversion is reasonable and they consider the conversion to be necessary to enable the individual to exercise their rights of access under the Act. Access should be given within a reasonable period of time. Consideration of necessity and reasonableness under paragraph 17(3)(b) of the Act should be applied generously, bearing in mind the government’s human rights obligations under the Canadian Charter of Rights and Freedoms and the Canadian Human Rights Act.

    Pursuant to 4.2.24 of the Policy, institutions are to provide the personal information in an alternative format, in accordance with subsection 17(3) of the Act, as requested when the requester has a sensory disability. Furthermore, pursuant to 4.1.14 of the Directive, institutions are to provide the personal information in an alternative format requested by an individual who has a sensory disability, including if it means converting the records to the alternate format when necessary to enable the individual to understand the information when it would be reasonable to cause the personal information to be converted.

    Necessary

    The head of the institution will determine whether the records to be disclosed to a person with a sensory disability must be converted to an alternative format to enable that person to access the records effectively (in other words, to use the information in them).

    In meeting the obligations set out in subsection 17(3), institutions should focus their efforts on understanding, based on the requester’s specific situation, what the requester deems to be the alternatives that work best for them. This is to ensure that the institution does not collect more information than is necessary about the requester’s disability. For example, the requester may be able to provide a file format that is compatible with their preferred assistive technology.

    Reasonable

    To assess whether it is reasonable to convert a record to an alternative format, the institution should consider all relevant factors. These may include the existence of the record within the government institution in another format that is useful to the person making the request, as well as factors that are specific to the individual requester.

    When determining whether to convert the record to an alternative format, institutions must consider human rights obligations. There is an obligation to provide the records in an alternative format to respect the Canadian Charter of Rights and Freedoms and the Canadian Human Rights Act.

    Seeking outside advice from accessibility experts may help an institution determine reasonableness and may also help estimate time and cost for conversion. Within the federal public service, the Accessibility, Accommodation and Adaptive Computer Technology (AAACT) Team at Shared Services Canada is an excellent source of knowledge on all alternative formats. AAACT serves all GC employees and departments, in person and remotely, in various types of work arrangements.

    In the private sphere, the CNIB Foundation (formerly known as the Canadian National Institute for the Blind) is a trusted source of information. The CNIB Foundation can be reached by email at accessibility@cnib.ca or by phone at 1‑866‑563‑2642.

    Volume of material

    When considering whether conversion of the information is reasonable, the institution must consider the volume of the requested material.

    Where the volume of material is the primary factor in a decision not to convert, the requester should be informed and given the option of narrowing the scope of the request.

    When considering what constitutes a reasonable volume, the institution should attempt to identify, in consultation with the requester, the information they consider essential so that the institution can try to convert that information first, for example, material relating to a case before a court or a tribunal. Requesters should be encouraged to be specific.

    Time for conversion

    Institutions may also consider the time required to provide the information in an alternative format. If conversion to the requested format is likely to necessitate taking an extension under paragraph 15(b), it may be more reasonable to consult the requester about finding another means of communicating the information. Lengthy delay due to conversion time should not be the basis for refusing conversion, but it may be a reason for trying to find another more suitable method.

    In this context, an effort should be made to negotiate with the requester the means of supplying the requested information in a format that is both useful to the individual and reasonable and cost‑effective for the institution. Examples of alternative formats are USB keys, CDs, large print and braille. Institutions should also consider the requester’s access to technological aids, such as optical scanners, voice synthesizers and personal computers, and other non‑technological means of processing the record, such as personal readers, as factors that may affect the selection of an appropriate alternative format.

    Cost of conversion

    Taking all the previous factors into consideration, the head of the institution may decide that conversion to an alternative format is not reasonable if the cost of converting the information (including costs related to obtaining the conversion technology) is too high. The point at which costs preclude conversion is specific to each case and is left to the discretion of the head of the institution. Keeping in mind the overall policy to assist individuals in exercising their rights under the Act, the institution should strive to keep the costs associated with conversion to a minimum.

    Where a less expensive alternative that would enable a requester to effectively exercise their right of access exists, it would be reasonable for the institution to favour that option. If, based on the facts of a particular case, it appears that providing alternative format access would be cost‑prohibitive, the institution should consult with its legal counsel before responding to the request.

    The decision on which format will ultimately be provided should be made after consultation with the requester. To the extent that it is reasonable, the requester’s preference should be accommodated. However, some types of records do not lend themselves well to conversion into a particular format (for example, photographs into Braille). When it is determined that the information would not convert well into the requested alternative format, the institution should consult the requester about other means of conveying the information. The requester’s access to computers, software and technological aids, such as optical scanners and voice synthesizers, may have an impact on the selection of an appropriate alternative format.

    Government institutions should provide assistance to requesters who are unable to exercise their rights using established procedures. For example, individuals may require special assistance in accessing the Open Government portal or completing the request form.

    6.18 Closing the request

    A request is completed when:

    • all actions for its processing have taken place and a response has been sent to the requester to notify them of the disposition of the request
    • the request has been abandoned

    A personal information request may be considered as abandoned in the following circumstances:

    • When the requester has not responded to a request for clarification within the timeline specified in the notice acknowledging their request was received but is incomplete
    • When the applicant formally withdraws the request

    It would not be reasonable for a requester to expect an institution to keep a request open indefinitely. If the requester asks to reopen an abandoned request, the institution has the discretion to reopen the abandoned file or to open a new request file. The time elapsed since the closing of the request and the fiscal year are factors to consider. Reopening a file in a different fiscal year from that of the initial request creates reporting discrepancies.

    Before closing the file, the institution should ensure that it is complete and contains:

    • copies of the records reviewed (in paper or electronic format)
    • all internal and external correspondence
    • copies of all records that were released, in whole or in part
    • any other information documenting the processing of the request

    The file must be retained for the time period set in the institution’s retention and disposition schedule, and for a duration that allows the requester time to exercise all of their rights under the Act. In accordance with section 4(1) of the Privacy Regulations, the retention period should be at least two years. The retention period begins after the last recorded activity on the file.

  • Chapter 7 – Time limits

    Date updated: 2024-12-09
    ATI Manual Cross-reference

    7.1 Statutory deadline

    Section 14 of the Privacy Act (the Act) requires the head of a government institution to respond to a personal information request made under subsection 12(1) within 30 days after the request is received, subject to section 15 of the Act. The head of a government institution must:

    • give the requester written notice as to whether or not access to the personal information or part thereof will be given; and
    • if access is to be given, give the requester the information or appropriate part thereof

    This is reiterated in subsections 4.1.29 and 4.1.30 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive).

    Subsection 4.2.22 of the Policy on Privacy Protection requires the head of a government institution or their delegate to ensure every reasonable effort is made to assist requesters in connection with the request, to provide complete, accurate, and timely responses to requests under the Act. Furthermore, 4.2.6 of the Directive requires employees of government institutions to make every reasonable effort to respond to requests within the timelines prescribed in the Act, including taking extensions in accordance with the Act. While these policy requirements do not amend the legislative timelines, they impose timely access to personal information.

    7.1.1 Calculation of statutory deadline

    The 30‑day timeline prescribed in section 14 of the Act are calendar days, as provided for in the Interpretation Act. The timeline is counted from the first day following receipt of a complete personal information request to the institution’s Access to Information and Privacy (ATIP) office. If the deadline falls on a weekend or on a holiday, the deadline for response, extension or other action becomes the next day, as per sections 26 and 35 of the Interpretation Act.

    When an extension is taken, the deadline is recalculated from the date of receipt of the request rather than from the original deadline.

    Example

    A request is received on November 23. The 30th day falls on Saturday, December 23. The next day that is not a holiday is December 27, which becomes the deadline, and the institution has 34 calendar days to process the request. When a 30‑day extension is taken, the new deadline is calculated from November 23 (30 + 30 days), and the 60th day falls on January 22 of the next calendar year.

    7.2 Extension of time limits

    The 30‑day time limit set in section 14 of the Privacy Act is subject to section 15 of the Act. In particular, paragraph 15(a) of the Act allows the head of a government institution to extend the original time limit by a maximum of 30 days under the following circumstances:

    • meeting the original time limit would unreasonably interfere with the operations of the government institution, or
    • consultations are necessary to comply with the request that cannot reasonably be completed within the original time limit

    In addition, paragraph 15(b) of the Act allows the head of a government institution to extend the time limit for such a period of time as is reasonable if additional time is necessary for the purposes of translating the information or converting the information into an accessible format.

    The institution is not required to consult or obtain the requester’s consent when deciding whether to extend the statutory deadline. The institution is required to examine the circumstances and context of each request.

    More than one extension may be taken, provided each extension is taken within the original 30‑day time limit and does not exceed the maximum time limit under paragraph 15(a) of 30 days.

    Unlike the process for extensions taken under Access to Information Act, the Office of the Privacy Commissioner (OPC) is not carbon copied in the extension notices.

    Example

    An institution takes an extension under subparagraph 15(a)(i) on day 7 when the office of primary interest informs the ATIP office that the request is for a large number of records and the search will require many days. A second extension is taken on day 15 to accommodate the translation of the material into the requester’s preferred language.

    As per subsection 4.2.5 of the Directive, employees of government institutions are required to advise ATIP officials at an early stage if a request cannot be responded to within the legislated 30‑day time frame. This is in coordination with the requirement in 4.1.20 of the Directive in which heads or their delegates are required to assess, without undue delay, each request received under the Act to determine if an extension is needed. ATIP officials may wish to communicate with the requester if they are advised by the program area that the request has a large volume of pages or requires consultations. There may be opportunities to narrow or clarify the scope of the request to facilitate processing. If the request requires clarification, it may be placed on hold. For more information on holds, please refer to Chapter 6.

    7.2.1 Reasons for extension

    a) Subparagraph 15(a)(i): unreasonable interference with operations

    Subparagraph 15(a)(i) of the Privacy Act provides for an extension if meeting the original time limit would unreasonably interfere with the operations of the government institution. Both the words “unreasonably” and “interfere” are terms that may be interpreted according to the circumstances and the context of each specific request.

    Generally, interference with the institution’s operations may be considered unreasonable if processing the request within 30 days would require the following:

    • a transfer of resources from institution’s operations to the ATIP office
    • monopolizing a significant portion of the resources of the office of primary interest to the detriment of its core functions, or
    • using such a high proportion of the resources of the ATIP office that it would have a significant negative impact on the processing of other requests.

    When completing their annual report to Parliament, an institution will need to classify their extension for reporting purposes under one or more of the following circumstances:

    • further review is required to determine whether information should be exempted under sections 18–28 of the Privacy Act (interwoven information)
    • there is a large volume of pages related to the request
    • the institution is experiencing a large volume of requests
    • the documents are difficult to obtain

    Institutions should document their justification for the extension and demonstrate that, in light of the circumstances, it would have been unreasonable to devote the time and resources necessary to meet the original time limit. Should there be a complaint, the OPC may consider whether an institution has adequately funded its ATIP office and the steps the institution took to address resource shortfalls when assessing the justification for the extension.

    Emergency situations

    There is no provision in the Act that allows the statutory time limits to be extended in emergencies, even in extraordinary situations that significantly interrupt operations. The impact of an emergency on the institution’s operations cannot be used as the sole basis for taking an extension under subparagraph 15(a)(i) of the Privacy Act. However, if fulfilling the request in the original time limit would unreasonably interfere with the operations of the government institution because the emergency already had an adverse effect on operations, an extension may be considered.

    b) Subparagraph 15(a)(ii): consultations necessary

    For the purposes of subparagraph 15(a)(ii) of the Act, “consultation” refers to consultations undertaken within a government institution, or with other government institutions or other levels of government. Although personal information requests do not regularly contain Cabinet confidences, such documents are an example of when an institution may need to extend the time limit for responding to a request.

    An extension under subparagraph 15(a)(ii) of the Act may also be justified when an institution must seek legal advice in order to resolve issues related to the processing of a request. However, extensions should not be taken to cover an institution’s routine approval process.

    It is also a best practice to obtain, where feasible, an agreed upon response time from the party consulted, whether an internal or external consultation when taking an extension under subparagraph 15(a)(ii) of the Act.

    When completing their annual report to Parliament, an institution will need to classify their extension for reporting purposes under one or more of the following circumstances:

    • Cabinet confidences
    • the request requires significant consultations with external organizations (such as third parties or provincial/territorial governments)
    • the request requires significant consultations within the institution or with other federal institutions
    c) Paragraph 15(b): translation and conversion

    An extension under paragraph 15(b) of the Act may be claimed if additional time is necessary for the purposes of translating the information or converting the information into an accessible format.

    7.2.2 Length of extension

    As noted above, paragraph 15(a) of the Act allows the head of a government institution to extend the initial period by a maximum of 30 days under select circumstances.

    Extensions should be based on the amount of work required to process a request and be for as short a time as possible. Their length should be assessed on a case-by-case basis wherein the volume and complexity of the information for that specific request is taken into consideration. This approach avoids determining the length of an extension based on only such predetermined factors, such as the average response time taken by an institution consulted in the past. They should also consider the ability to undertake multiple tasks in overlapping time frames, such as conducting consultations and reviewing the requested information. Applicable factors to consider in determining the length of an extension are provided in subsection 7.2.3 of this chapter.

    The Federal Court of Appeal has indicated that “it is not enough for a government institution to simply assert the existence of a statutory justification for an extension and claim an extension time of its choice. An effort must be made to demonstrate the link between the justification advanced and the length of the extension taken.”Footnote 1 While the Privacy Act was not directly in question in this decision, the provisions of the Access to Information Act at issue are nearly identical to those found in the Privacy Act and the findings remain relevant. In the case of subparagraph 15(a)(i), this means demonstrating that the work required to provide access within any materially lesser period of time than the one asserted would interfere with operations. The same type of rational linkage must be made when invoking subparagraph 15(a)(ii) with respect to necessary consultations. It is important to justify any extension taken regardless of length and to properly record those decisions on file.

    As provided for in paragraph 29(1)(d) of the Act, the Privacy Commissioner can receive complaints from individuals who consider the extension taken to be unreasonable. If the Privacy Commissioner, after an investigation, agrees and finds the extension is unreasonable, the complaint is considered well-founded.

    As per subsection 4.1.23 of the Directive, heads or their delegates must report on the number of and reasons for extensions in the institution’s annual report to Parliament. The Treasury Board of Canada Secretariat collects statistical data on the length of extensions for the following categories:

    • 1 to 15 days
    • 16 to 30 days
    • 31 days or greater

    Paragraph 15(b) of the Privacy Act refers to the extension of the time limit as “such period of time as is reasonable” for translation and conversion. In each case, the head of the institution or their delegated representative must exercise judgment, for the Act does not stipulate a specific time frame other than that it be “reasonable.” Accordingly, where additional time is required for translation or for converting the information into an accessible format, a reasonable period of time is allowed. Institutions should consider releasing the untranslated or unconverted personal information as soon as possible and advise the requester that the translated or converted version will be provided when available.

    Note that if the extension taken is not long enough and the institution does not complete the request within the extended time limit, the request is deemed to have been refused by virtue of subsection 16(3) of the Act. Information on deemed refusals is provided in subsection 7.3 of this chapter.

    7.2.3 Procedures

    The following is recommended when dealing with extensions:

    • Institutions should assess all requests as soon as possible after receiving them and, if necessary, give notice of a written explanation to the requester within 30 days of receipt of the request of the reasons for an extension.

    Subsection 4.1.20 of the Directive requires heads or their delegates to assess, without undue delay, each request received under the Act to determine if an extension is needed for processing the request. They are to be assisted by employees of government institutions, who are required by 4.2.5 of the Directive to advise ATIP officials at an early stage if a request cannot be responded to within the legislated 30‑day time frame.

    Factors that may be considered when deciding whether an extension is needed and the length of the extension include the following:

    • scope and complexity of the request
    • volume of personal information requested
    • number of files that must be searched to find the requested personal information and where the files are located, if not electronically
    • level of interference with the institution’s operations
    • number and complexity of consultations required with employees of the institution and external organizations, such as offices of primary interest, other institutions or other levels of government
    • whether additional consultations or notification may be required depending on the outcome of the consultations undertaken

    When extending under subparagraph 15(a)(ii) of the Act, it is a best practice to contact the institution, the individual or the organization being consulted to obtain an agreed-upon response time from that institution, individual or organization.

    If the personal information requested is of interest to another institution, organization or individual, consultations should be undertaken only if additional information is required to exercise discretion effectively or the processing institution intends to disclose potentially sensitive information, as per 4.1.24 of the Directive. As per 4.1.25 of the Directive, institutions are to ensure consultation requests from other federal government institutions are processed with the same priority as the personal information requests made to their own institution.

    An extension cannot be taken when more than 30 days have passed since the request was received.

    1. If access cannot be provided within the statutory time limit, the institution should inform the requester that the time limit cannot be met, indicate when access will be given, and advise the requester of the right to file a complaint with the Privacy Commissioner about the extension.
    2. When requests contain similar or related information and are made to more than one institution, the personal information should be carefully examined to ensure that if redactions are applied, they are done so consistently across all requests.
    3. Keep requests open until all consultations have been received and a formal notice, as discussed in subsection 7.2.4 of this chapter, has been provided to the requester.

    Example

    An institution holds personal information that is of interest to several institutions, such as personal information relating to a sensitive security issue under investigation that concerns Public Safety Canada, the Royal Canadian Mounted Police and the Canadian Security Intelligence Service. The request is 750 pages total.

    The institution informs the requester in writing that the request is extended for an additional 30 days under subparagraph 15(a)(i) – unreasonable interference with operations (large volume of pages), and subparagraph 15(a)(ii) – consultations necessary (consultations with other federal institutions) and provides the new legislative due date for the response.

    Prior requests may be used to inform the time required to complete the processing of the request. The institution may have some insights, for example, of how long it normally takes to complete this type of consultation with this specific institution or for this volume of records. That said, previous requests, if used, should not be the standalone deciding factor, but rather part of a set of assessment criteria that also considers the volume and complexity of the information at issue. In the scenario above, the institution needs additional processing time based on the volume of the request. The institution also needs to be provided with additional information from the consulting institutions on the status of the investigation and if the release of the information would be injurious to the conduct. Although the request is not identical, similar requests have taken the other institutions 20 days to complete, and the ATIP analyst assigned to the request confirmed the processing time in advance of sending the consultation. These 20 days, combined with large volume of pages, leads the ATIP analyst to believe that an additional 30 days are required to complete the request.

    7.2.4 Notice to the requester

    When, based on the factors identified in subsection 7.2.3 of this chapter, an institution extends the time limit, section 15 of the Privacy Act requires that the institution give written notice of the extension to the requester within the original 30‑day time period. To fulfill this requirement, the necessary elements for this notice are described in 4.1.20 to 4.1.23 of the Directive. Institutions should assess without undue delay all access requests received and if an extension is needed for processing a request, notify the applicant of the extension within 30 days of the request’s receipt.

    Model letters are available in Annex A of this Manual. If an institution chooses to develop their own letter, note that it must contain the following:

    If more than one extension is taken, the institution has the option to inform the requester in the same notice or under separate cover.

    Model written explanations for delays in fulfilling personal information requests

    The following model explanations are provided as a resource. Institutions are encouraged to use these model explanations as basis for correspondence with requesters, or to adapt them as appropriate. Even when using these model explanations, heads of institutions remain responsible for ensuring that any extension falls within the reasons specified in section 15 of the Act. The use of model explanations also does not impact the right of requesters to complain to the OPC.

    Circumstances Proposed written explanation Subsection of the Privacy Act

    Further review is required to determine whether information should be exempted under sections 18–28 of the Privacy Act.

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because the records containing your personal information also include other sensitive information. We will need to review the records to protect the privacy of others and to protect other information that cannot be released.

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    There is a large volume of pages related to the request

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request due to the volume of records associated with your request. We will need to locate, retrieve and review a large number of records.

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    The institution is experiencing a large volume of requests

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request due to the high volume of requests currently being processed by our institution.

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    The documents are difficult to obtain

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request as some of the records you requested are currently difficult to obtain because [records have been archived, records are in storage, records are not available electronically, records are stored in backup tapes, we will need to compile records from multiple locations, or your request covers a significant time period].

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    The request requires significant consultations with external organizations

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because we need to consult with external organizations such as provincial or territorial governments.

    This extension is in accordance with subparagraph 15(a)(ii) of the Privacy Act.

    15(a)(ii)

    The request requires significant consultations within the institution or with other federal institutions

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because we need to consult within our institution or with other federal institutions.

    This extension is in accordance with subparagraph 15(a)(ii) of the Privacy Act.

    15(a)(ii)

    The request requires translation or conversion

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because we need to translate the records you requested or convert the records into another format in order to facilitate your access to your personal information.

    This extension is in accordance with paragraph 15(b) of the Privacy Act.

    15(b)

    7.3 Deemed refusal

    Subsection 16(3) of the Privacy Act states that when a government institution fails to give access to personal information within the time limits set out in the Act (30 calendar days or the length of time taken under an extension), the institution is deemed to have refused access. This situation is commonly referred to as a deemed refusal.

    To clarify further, if no extension has been taken under section 15 of the Privacy Act and a response was not given, an institution is deemed to have refused access on the 31st day after a request was received (unless it falls on a weekend or a holiday). If an extension was taken, an institution is deemed to have refused access if it did not respond by the end of the extended deadline.

    When a request is in a deemed refusal state, the requester may file a complaint with the Privacy Commissioner about the refusal of access. On a parallel issue in the closely related Access to Information Act, the potential consequences of a deemed refusal were reviewed by the Federal Court of Appeal in the decision Canada (Information Commissioner) v. Canada (Minister of National Defence), Docket A-785-96. The Court found that once a request is deemed to have been refused, the Commissioner has the power to conduct an investigation to determine the merits of the refusal to provide access. The Court stated as follows:

    In the instant case, as soon as the institution failed to comply with the time limit, the Commissioner could have initiated his investigation as if there had been a true refusal. He does have powers to investigate, including, at the beginning of an investigation, the power to compel the institution to explain the reasons for its refusal.

    In the decision Statham v. Canadian Broadcasting Corporation, 2010 FCA 315, the Federal Court of Appeal confirmed that there is no distinction between a true refusal and a deemed refusal.

    In the decision Information Commissioner of Canada v. Canada (Minister of National Defence) 2015 FCA 56, the Federal Court of Appeal stated that the validity of an extension of time to respond to an access to information request may be judicially reviewed.

    When a request is in deemed refusal, the institution has not forfeited their right to refuse disclosure and must continue to process the request and provide a response to the requester. The decision Murchison v. Export Development Canada, 2009 FC 77, the Court found that the information did not have “to be disclosed merely because the institution failed to assert an exemption within the 30‑day period.”

    There is additional information on the effect of deemed refusals in Chapter 12 of this manual.

    While these decisions do not provide rulings directly on the Privacy Act, the findings are on the closely related Access to Information Act, and the provisions at issue are similar to those found in the Privacy Act on the same subject.

  • Chapter 8 – Request for correction and notation

    Date updated: 2024-12-09

    8.1 Request for correction and notation

    Subsection 12(2) of the Privacy Act (the Act) provides that an individual who has been given access under paragraph 12(1)(a) of the Act to personal information that has been used, is being used, or is available for use for an administrative purpose may request correction of the personal information where the individual believes there is an error or omission therein.

    Section 11 of the Privacy Regulations describes the procedures to be followed by the requester and government institutions, as explained in section 8.4 of this chapter.

    Information about requests to delete personal information can be found in the Privacy Practices Manual (to be published). Institutions may wish to consult with their records management officials for advice on information that must be retained or transferred to Library and Archives Canada and on what information may be destroyed.

    8.2 Policy Requirements

    8.2.1 Responsibilities of heads of government institutions or their delegates

    The responsibilities for heads of government institutions or their delegates concerning the correction and notation of personal information are as follows:

    • Under section 4.2.25 of the Policy on Privacy Protection, to establish effective processes and systems to respond to requests under the Act. This applies to both requests for access as well as requests for correction;
    • Under section 4.1.32 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive), to establish a process to ensure that any request for correction and any subsequent actions are made in accordance with the Privacy Regulations and are documented;
    • Under section 4.1.33 of the Directive, to document any correction or notation made to personal information in a manner that ensures it will be retrieved and used whenever the original personal information is used for an administrative purpose.
    • Under section 4.1.34 of the Directive, to notify the individuals, and any public and private sector organizations that use the information for administrative purposes of any correction or notation made to the personal information; and
    • Under section 4.1.35 of the Directive, to notify requesters of their right to complain to the Privacy Commissioner in respect of requests for correction of personal information.

    It is recommended that procedures for processing correction requests be made available to the public.

    8.2.2 Responsibilities of executives and senior officials

    The Directive on Privacy Practices assigns the following responsibilities related to the correction of personal information to executives and senior officials who manage programs or activities involving the creation, collection or handling of personal information:

    • Under section 4.2.20.5, to notify the individual whose personal information is collected directly of the right to request the correction of personal information under the Act;
    • Under section 4.2.29, to ensure that individuals are given the opportunity, whenever possible, to correct inaccurate personal information before any decision is made that could have an impact on them; and
    • Under section 4.2.38.3, to ensure, when personal information is transferred out of the control of a government institution as a result of the devolution or privatization of a program or activity, that rights of individuals to access and correct their personal information are maintained after the transfer.

    8.3 Decision to grant or refuse the request for correction

    The decision whether to grant or refuse a request for correction is made on a case-by-case basis.

    The request is usually granted when the personal information consists of factual information that was originally supplied by the individual concerned, or when the individual provides documentary evidence to support the correction.

    When the correction will affect an administrative decision concerning the individual (e.g., their eligibility for a benefit), documentary evidence provided to support the correction should be the same as the evidence required when the information was originally collected.

    As a general rule, a request for correction of an opinion is usually accepted if the requester was the source of the opinion and the opinion does not concern any other individual. In general, corrections are not made to opinions given by other individuals about the requester except where there are reasons to suspect the reliability of the source of the opinion, or the requester established that the original opinion was based on incorrect information. When this is not the case, the individual is informed of the difficulty in reassessing the validity of an opinion, and a notation is made giving the requester’s views on the matter.

    8.4 Procedures

    As mentioned previously, Section 11 of the Privacy Regulations describes the procedures to be followed by the requester and by government institutions, which this section outlines.

    8.4.1 Procedures to be followed by the requester

    Following receipt of their request under 12(1)(a), the requester must send a subsequent request for correction to the appropriate officer of the government institution that has control of the personal information. The requester may fill out a Record Correction Request Form (TBS/SCT 350-11) in respect of each personal information bank that contains the information to be corrected, or may send a signed letter that contains all information requested in the form. The requester should include copies of the documentary evidence that can be used to establish the validity of the requested correction, including citing the file number for the previously processed personal information request.

    8.4.2 Procedures to be followed by the government institution that received the request for correction

    When the request for correction is granted, the head of the government institution must, within 30 days of receiving the request:

    • Notify the requester that the correction has been made;
    • Notify any person or body to whom the information was disclosed within the two years preceding the date that the request for correction was received that the correction has been made; and
    • Notify the appropriate officer of any other government institution to which the information was disclosed within the two years preceding the date that the request for correction was received that the correction has been made, and that the officer is required to make the correction on every copy of the personal information under the control of that institution.

    The notice to the requester should include a list of the persons, bodies and government institutions that were notified of the correction made.

    When a request for correction is refused in whole or in part, the head of the government institution must, within 30 days of receiving the request:

    • Attach a notation to the personal information reflecting that a correction was requested but was refused in whole or in part;
    • Notify the requester that:
      • The request for correction was refused in whole or in part and give the reasons for the refusal;
      • A notation reflecting that a correction was requested and refused in whole or in part has been attached to the personal information; and
      • The requester has the right under the Act to make a complaint to the Privacy Commissioner;
    • Notify any person or body to whom the personal information was disclosed in the two years preceding the date that the request for correction was received that a notation has been attached to the personal information; and
    • Notify the appropriate officer of any other government institution to which the information was disclosed within the two years preceding the date that the request for correction was received that a notation has been attached to the personal information, and that the officer is required to attach such a notation to every copy of the personal information under the control of that institution.

    The notice to the requester should include a list of the persons, bodies and government institutions that have been notified of the attachment of the notation.

    8.4.3 Procedures to be followed by a government institution that receives a notice that a correction was made or refused in whole or in part

    When a government institution receives a notice from another government institution that a correction or notation has been made, the institution receiving the notice must correct or annotate every copy of the personal information under the control of the institution without delay.

    8.5 Incorporating corrections and notations

    In many cases, corrections can be made by changing the particular information within a record; notations can also be made by adding to the record. In circumstances where this is not possible (e.g., certain electronic records), the accepted method is to store the correction or notation in such a way that it is retrieved with the original information (e.g., a flag on an electronic file or a notice attached to a paper file). In all cases, corrections and notations must be stored in a manner that will ensure that they are retrieved and used whenever the original personal information is used for an administrative purpose.

    Institutions should incorporate corrections or notations in a way that will be seen and therefore used by the person having to make a decision about an individual. That includes notifying individuals and private or public organizations that use the information to make a decision on the individual concerned. In other words, whatever method is used, the correction or notation should be simple to retrieve.

  • Chapter 9: General Information on Exemptions

    Date updated: 2024-12-09
    ATI Manual Cross-reference [pending]

    9.1 General principles

    Sections 18 to 28 of the Privacy Act (the Act) set out specific limitations on an individual’s right of access to their personal information. These limitations are known as exemptions. Each exemption is intended to protect information relating to a particular public or private interest. In addition, access may be denied under section 33 of the Act for information created for the purpose of making representations to the Privacy Commissioner in the course of an investigation and responses from the Commissioner (see section 10.17)Footnote 1. Further limitations on an individual’s right of access are covered in Chapter 11 which deals with personal information excluded from the Act.

    Section 4.1.1 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive) specifies that necessary exceptions to the right of access should be limited and specific. Institutions must take their duty to disclose information that the Act requires to be disclosed as seriously as they take their duty to not disclose information covered by an exemption or exclusion to the right of access.

    More than one exemption may apply to the same information. For example, information might be obtained in confidence from a provincial government (section 19) and be injurious to the conduct of federal provincial affairs (section 20). In such cases, institutions should cite all applicable exemptions and should be prepared to defend the use of all exemptions cited. More information on marking exemptions is discussed in section 9.10 of this chapter. Where applicable, the last paragraph of each section in Chapter 10 includes a reference to other relevant exemptions.

    9.2 Nature of exemptions

    The exemptions included in the Act can be classified in two ways:

    1. according to whether the exemption is subject to an injury test or a class test
    2. according to whether the exemption is discretionary or mandatory in nature

    Appendix C of the Directive and the table at the beginning of Chapter 10 lists all exemption provisions and indicate whether they are based on a class test or an injury test and whether they are mandatory or discretionary. The following sections discuss these classifications. Chapter 10 goes into greater detail about each individual exemption, but it is recommended that ATIP analysts familiarize themselves with this chapter first.

    9.2.1 Class test and injury test

    (a) The class test

    Appendix A of the Directive defines “class test” as “a test that objectively identifies the categories of information or documents to which certain exemption provisions of the Privacy Act can be applied.”

    Exemptions based on a class test describe classes of information that, in the drafting of the legislation were deemed inherently sensitive and therefore in and of themselves worthy of protection. If the government institution is satisfied that the personal information falls within the class specified, the exemption can be applied. There is no requirement for an injury to be proven; conceptually, class exemptions exist because the reasonable expectation of probable harm has inherently been met based on the nature of the exemption. A class test is applied in a more straightforward manner than an injury testFootnote 2.

    For example, subsection 19(1) of the Act exempts from disclosure personal information obtained in confidence from eight sources (paragraphs a to g). If the personal information is obtained from one of those eight sources, and if it is obtained in confidence, the class test is satisfied. The exemption serves to give assurance to other levels of government and organizations that, when they share information with a government institution, the information still has protections against onward disclosures. The exemption only requires that the information fit into the class. There is no need to provide a description of the consequences if the information were to be disclosed.

    When applying an exemption with a class test, the ATIP analyst should outline how the exemption applies by stating how the information falls into the class.

    For example, a Correctional Service Canada (CSC) responsive records package contains details surrounding the request for transfer an inmate. These details include information from a municipal police force. CSC determined that it was not reasonable to seek the police force’s consent for the release of the information under subsection 19(2). In In this instance, to apply paragraph 19(1)(d), the ATIP analyst would note in the processing file on the relevant pages that CSC obtained the personal information in confidence from the municipal police force.

    Another example of a class test exemption is section 26, which deals with information about another individual. The responsive records package contained an e-mail that included the home addresses of two successful candidates in a staffing process. The email related to preparing their letters of offer. In this scenario, it was appropriate to not seek consent to release the information because the information was not public, and because there were no applicable disclosures under 8(2). In such a scenario, the ATIP analyst would note that the other home address constitutes the personal information of individuals other than the requester, and thus meets the class test for the exemption.

    The following exemption provisions in the Privacy Act are based on a class test: 18(2),19(1), 22(1)(a), 22(2), 22.1, 22.2, 22.3, 22.4, 23, 24, 26, 27, and 27.1.

    (b) The injury test

    Exemptions based on an injury test provide that access to personal information requested under the Act may be denied if disclosure “could reasonably be expected to be injurious” to the interest specified in the exemption. For access to be refused, there must be a reasonable expectation that disclosure of the information could prove harmful or damaging to the specific public or private interest covered by the injury test exemption.

    Appendix A of the Directive defines “injury test” as “a test to determine the reasonable expectation of probable harm to be met for certain exemption provisions of the Privacy Act to be applied.”

    The head of the institution or the delegate should be able to demonstrate how disclosure could result in a risk of harm. In contrast to the class test, there is a need to articulate in greater detail how the injury test is satisfied. Generalities, assertions with no rationale or simply repeating the words in the exemption are not sufficient to meet the threshold set out in the injury test. There are many considerations in assessing injury, but three general factors should be taken into account when building a rationale to invoke an exemption:

    1. is the harm current?Footnote 3
    2. Is the injury probable?Footnote 4
    3. Can the specific risk be identified?Footnote 5
    Current

    Institutions must consider whether it is possible to identify the harm at the time the exemption is claimed or in the foreseeable future. It may be practical to examine how information of a similar nature was treated in past requests. That said, even if information was protected from disclosure in the past, it should be reassessed when a new request is received to ensure that present or future injury is still a factor.

    Probable

    Consideration must be given as to whether there is a reasonable likelihood of the injury occurring. Institutions will need to demonstrate the link between disclosure of the specific information in question and the harm described. The rationale provided would avoid just stating a conclusion, which is likely to be an insufficient explanation to support invoking the exemptionFootnote 6. Note that the likelihood of that harm occurring does not have to meet a level of a balance of probabilities, but must be more than speculation.

    The Supreme Court of Canada went into great detail about the reasonable expectation of probable harm in Merck Frosst Canada Ltd. v. Canada (Health), 2012 SCC 3. In this case, the Supreme Court concluded that “the accepted formulation of ‘reasonable expectation of probable harm’ captures the need to demonstrate that disclosure will result in a risk of harm that is well beyond the merely possible or speculative, but also that it need not be proved on the balance of probabilities that disclosure will in fact result in such harm.”

    Specific

    It is important to consider the degree to which it is possible to identify the harm with the actual party who could suffer the injury either directly or to their interests. It is not enough to identify only a vague general harm. “There must be a clear and direct connection between the disclosure of specific information and the injury that is alleged.Footnote 7

    This threshold was analyzed in the Supreme Court’s decision in Ontario (Community Safety and Correctional Services) v. Ontario (Information and Privacy Commissioner), 2014 SCC 31. In this case, the Ontario government did not have evidence that linked the disclosure of the information at issue to the harms that it claimed would arise. The court discussed the standard of proof required and how it would look for specific evidence linking the disclosure to the harm when it stated the following:

    The Commissioner specifically stated that the Ministry needed to show only “a reasonable basis for believing” to apply the exemption related to the endangerment of life. She further stated that “detailed and convincing” evidence must establish a “reasonable expectation of harm” with regards to the exemption protecting the control of crime. The Commissioner held that “speculation of possible harm” would not be sufficient: p. 11. After considering the Ministry’s arguments, the Commissioner found that “the Ministry’s representations, including the affidavit, [did] not provide a reasonable basis for believing that endangerment [would] result from disclosure”: p. 14. She added that the possibility of identification, or even presumed identification, was “too remote to meet even the lower evidentiary threshold for section 14(1)(e) established in the Office of the Worker Advisor case cited above”: p. 15. Of course, as noted above, there is no such “lower evidentiary threshold” and the Commissioner simply meant that she did not require proof that harm was probable. Indeed, the Commissioner then emphasized that she did not require “that the Ministry demonstrate that harm is probable; there need only be a reasonable basis for believing that harm will result, and it is not established here”: ibid. Taken together, these statements properly identified the applicable standard of proof.

    Additional considerations

    Some exemptions (along with definitions and exclusions), such as section 21 of the Act or the definition of personal information in section 3, include a list of examples, along with the phrase “without restricting the generality of the foregoing.” These lists illustrate specific types of information to which the section applies. The fact that information in a response record is described in the illustrative list is not sufficient to automatically exempt the information. The information does not necessarily need to be included in the list. However, the refusal to disclose must still be based on the injury that would result to the interest specified in the exemption.Footnote 8

    For example, the injury could relate to the security of penal institutions, paragraph 22(1)(c). An individual who attempted an escape from a correctional facility could make a personal information request on the incident report. The information requested could contain information about the repair of a locking mechanism, on a door or a window. That information could reasonably be expected to be injurious to the security of penal institutions, since it is information that could be useful in a future escape attempt, so it can be characterized as current. It may provide insight into a vulnerability (faulty locking mechanisms, a space wide enough to fit a person), so is sufficiently specific. Finally, it is foreseeable that the individual might use this information or share it with another individual to plan a future escape, so can be considered probable.

    Some information may not be obviously injurious. There may be cases, most often in the contexts of national security and law enforcement, where disclosure could give rise to the “mosaic effect.” The mosaic effect occurs when bits of information that appear meaningless or trivial in isolation could reveal a more comprehensive understanding of the information requested when combined and analyzed. Although an institution can exempt information when there is a risk of injury as a result of the mosaic effect, it must still be able to demonstrate that disclosure could reasonably be expected to be injurious.Footnote 9

    The following exemption provisions in the Privacy Act are based on an injury test: 20, 21, 22(1)(b) and (c), 25 and 28.

    9.2.2 Mandatory and discretionary exemptions

    (a) Mandatory exemptions

    Appendix A of the Directive defines “mandatory exemption” as “an exemption provision of the Privacy Act that contains the phrase ‘shall refuse to disclose.’”

    When information requested under the Act is covered by a mandatory exemption, institutions are required to refuse to disclose the information. However, subsection 19(2) of the Act may provide for the release of personal information when certain conditions are met.

    For example, any personal information obtained in confidence from the United States’ Internal Revenue Service to the Canada Revenue Agency is exempted from disclosure under paragraph 19(1)(a) (information obtained in confidence from a foreign government), provided that the Internal Revenue Service did not consent to its disclosure or make it public.

    The following exemption provisions from the Privacy Act are mandatory: 19(1), 22(2), 22.1, 22.2, 22.3 and 22.4. Section 26 is a hybrid exemption that is in part discretionary and in part mandatory.

    Section 22.1(2) is mandatory but is unique in that it contains the phrase “shall not refuse … to disclose,” because the personal information is treated differently upon the conclusion of an investigation. For further information, please refer to section 10.6.2 of the manual.

    (b) Discretionary exemptions

    Appendix A of the Directive defines “discretionary exemption” as “an exemption provision of the Privacy Act that contains the phrase ‘may refuse to disclose.’”

    A discretionary exemption permits the head of a government institution to refuse to disclose information if it meets the class or injury test involved and gives the head the discretion to disclose the information even though it is covered by the exemption. The head or their delegate must balance in good faith, based on relevant considerations, arguments in favour of disclosure versus those in favour of non-disclosure.

    Chapter 6 of this manual provides information on the legal concept of discretion, the requirements of the Policy on Privacy Protection (the Policy) and the Directive, and the rules for the proper exercise of discretion. Section 9.4 of this chapter provides information specific to the exercise of discretion when applying discretionary exemptions. Section 8.4 also provides guidance on how institutions can meet the requirements to document their rationale behind the exercise of discretion.

    The final decision on whether to disclose information for which an exemption could be claimed is left to the head of the government institution processing the request. However, to properly exercise discretion, the advice of another government institution may have to be obtained through consultation. Advice may be sought in instances where the institution exercising discretion was not the originator or did not prepare the information itself and requires more information to properly exercise discretion.

    The majority of exemption provisions in the Act are discretionary: 18(2), 20, 21, 22(1), 23, 24, 25, 27, 27.1 and 28. Section 26 is a hybrid exemption that is in part discretionary and in part mandatory.

    9.3 Review of responsive records

    Section 4.2.25.4 of the Policy requires institutions to establish procedures to ensure that the requested personal information is reviewed to determine whether it is subject to the Act. Chapter 3 [pending] and Chapter 6 assist institutions in determining whether information is under the control of the Act and therefore subject to it. Chapter 11 provides information on exclusions. If the personal information is subject to the Act, the institution must then determine whether any exemptions apply. In large institutions or institutions that have regional offices, this preliminary review may take place under the coordination of a divisional or regional access coordinator.

    9.4 Exercise of discretion when applying discretionary exemptions

    The application of discretionary exemptions is a two-step process:

    1. Determine whether the information meets the requirements of the class or injury test that is part of the discretionary exemption
    2. Exercise discretion, and determine whether the information should be exempted or released

    In other words, the head of the institution must first consider whether the exemption applies to the personal information. If so, the head must then exercise discretion in determining whether the information should or should not be disclosed.

    The head must not replace the exercise of discretion with a blanket policy whereby information will not be released simply because it can be withheld under one of the discretionary exemptions. In exercising their discretion, the head must “have regard to all relevant considerations”Footnote 10 and to the spirit and purpose of the Act. For example, a document that is classified or protected in accordance with the security categorization set out in Appendix J of the Directive on Security Management is not automatically exempt from disclosure. The security category provides an indication that the document may contain sensitive information that may qualify for exemption or exclusion and is one of the factors to consider in the exercise of discretion and assessing harm for an injury test. Each piece of information must be judged in relation to the requirements in the Act’s exemption provisions as they apply at the time of the request.

    The Act does not specify criteria that the head of a government institution is to take into account or explicitly outline all factors they are to consider when exercising their discretion. Best practices when exercising discretion may include considering the following:

    1. the general purpose of the Act (that is, to protect the privacy of individuals with respect to personal information about themselves held by a government institution and to provide individuals with a right of access to that information).
    2. the wording of the discretionary exemption and the interests that the exemption aims to protect.
    3. the specific content of the responsive records, for example:
      • the nature of the record and sensitivity of the personal information;
      • whether the information relates to issues that are current (Is the personal information being used for a decision, or will it be used in the future?)
      • historical practices of the institution with respect to the release of similar types of information
      • court decisions (Have the courts ruled under either the Access to Information Act (ATIA) or the Privacy Act that similar types of records or information should or should not be disclosed?)
      • the age of the information (Usually, the older it is, the less likely the release of personal information will cause injury. However, there are exemptions that have no time limit, acknowledging that some information is sensitive or injurious regardless of the passage of time).
    4. the context (confidentiality of the information and timing):
      The context in which an institution operates and in which the information was collected, obtained or created. The timing of the request will also have an impact. For example, exemptions may be applied differently to personal information before a situation is resolved, compared with how they are applied after.
    5. the views of subject matter experts:
      The proper exercise of discretion may require internal or external consultations. In Do-Ky v. Canada (Foreign Affairs and International Trade), (T.D.) [1997] 2 F.C. 907, the Federal Court stated:
      • It is not a fettering of discretion to seek advice from the government departments most knowledgeable and directly involved with the situation at hand. In fact, not to do so would be irresponsible. Provided that the individual who is responsible for exercising the discretion in fact turns his or her mind to the issues and weighs and considers all the facts, there is no fettering of discretion.
    6. the impact of disclosure, including the following considerations:
      • the impact the release of the personal information would have on the fulfilment of the institution’s legal mandate and activities
      • the degree of harm that the release would cause (low, medium or high) to the government, the institution, any third parties or the individual. This is related to the injury test.
    7. the public interest

      A public interest test involves considering the circumstances of each case in relation to the exemption that covers the information.

      The term “public interest” was examined in Grant v. Torstar Corp., 2009 SCC 61. The Supreme Court emphasized that there is no single test for public interest, nor is there an established list of subjects that can be categorized as such. However, broadly, information in the “public interest” might include information that affects the rights, safety, health or finances of the public at large (in contrast with the particular interest of a person, group or firm). Safety refers to the population’s general welfare and well‑being, and includes emergency management (natural disasters, industrial accidents, terrorism, computer viruses, and so on), national security, law enforcement and crime prevention. Health includes product safety, health care, environmental and workplace health, and protection from diseases and epidemics.

      Disclosure of the information in the public interest means that the information relates to a matter of public interest and is not merely an object of interest or curiosity to the public, a group of people or individuals. Public interest is discussed further below.

    Although Ontario (Public Safety and Security) v. Criminal Lawyers’ Association, 2010 SCC 23, [2010] 1 S.C.R. 815 dealt with the Ontario Freedom of Information and Protection of Privacy Act (FIPPA), it is also helpful in dealing with discretionary exemptions under the Privacy Act. The Supreme Court of Canada concluded that the exercise of discretion must take into account the public and private interests in disclosure and non‑disclosure. This exercise involves considerations of public interest in open government, public debate and the proper functioning of government institutions. When considering injury-based exemptions, institutions must first consider the injury and then determine whether the public interest in protecting the information is greater than the public interest in disclosure. It is implicitly a finding that a public interest in confidentiality may trump public and private interests in disclosure. The court makes it clear, however, that in the exercise of the discretion whether to invoke an exemption, the head must also weigh all public and private interests in disclosure and non-disclosure.

    The Supreme Court of Canada, when reviewing on appeal John Doe v. Ontario (Finance), 2014 SCC 36 under FIPPA, noted the importance of institutions exercising their discretion in good faith, for a proper purpose, and taking into account only relevant considerations. This decision also emphasizes that, when exercising discretion concerning the disclosure of documents related to advice or recommendations to government, institutions must consider the need to preserve the political neutrality of the public service and its ability to produce full, free and frank advice.

    In Canada (Information Commissioner) v. Canada (Transport), 2016 FC 448, the Federal Court outlines guidelines for the exercise of discretion. While the decision was in the context of the ATIA, the principle can be applied in the privacy context. For the purpose of judicial review,

    the Court must consider the grounds for justification invoked by the decision-maker, as well as the transparency and the intelligibility of the decisional path with regard to the facts in evidence. In addition, when the Commissioner is a party to the proceedings, the Court must consider [their] arguments and suggestions and analyze how the decision-maker discusses them and takes them into consideration. In making [their] decision, the decision-maker must show that [they understand] the access requests, that [they understand] the arguments in favour of disclosure and that [they have] carefully considered these arguments, all while taking into account the objectives of the ATIA.

    …the decision-maker cannot simply state that [they have] considered all of the relevant factors; [they] must concretely demonstrate how [they have] considered them…. the decision-maker must show that [they have] considered not only non-disclosure, but also disclosure, having considered the arguments in favour of disclosure in a complete and transparent fashion. [They] must weigh these arguments against the objectives of the ATIA.

    There is a balancing act because

    for such a decision to pass muster on judicial review, a boiler-plate declaration that the discretion was exercised and that all relevant factors have been considered will obviously not be sufficient; on the other hand, it is not necessary to provide a detailed analysis of each and every factor that has an impact on the decision or how they were weighed against each other.Footnote 11

    This guidance should not be viewed as exhaustive. The best guide to exercising discretion remains common sense, good judgment and experience.

    9.4.1 Evidence to be provided to the Court for discretionary exemptions

    In the event of legal proceedings, an institution will need to provide documentation regarding their exercise of discretion. In Leahy v. Canada (Citizenship and Immigration), 2012 FCA 227, which dealt with discretionary exemptions under the Act, the Federal Court of Appeal provided guidance on the information needed by the Federal Court or the Federal Court of Appeal to properly review an institution’s decision to withhold information. The Federal Court of Appeal stated that this could be achieved by ensuring that there is information in the decision letter or in the court record that sets out the following:

    1. Who decided the matter
    2. Their authority to decide the matter
    3. Whether that person decided both the issue of the applicability of exemptions and the issue of whether the information should, as a matter of discretion, nevertheless be released
    4. The criteria that were taken into account
    5. Whether those criteria were or were not met and why

    9.5 Exercise of discretion for mandatory exemptions

    When information requested under the Act is covered by a mandatory exemption, institutions normally must refuse to disclose the record, as indicated in 9.2.2 of this chapter. However, section 19 of the Act provides for circumstances that permit government institutions to release the personal information if certain conditions are met. Subsection 19(2) of the Act provides that the head of a government institution may disclose any personal information described in subsection 19(1) if the government, organization or institution from which the information was obtained consents to the disclosure or makes the information public. If one of these conditions is met, and no other exemptions apply, the government institution is given discretion to release the information after considering relevant factors for and against disclosure.

    9.6 Precedents

    Government institutions should assess each request on its own merits, using precedents only as guidelines in making a determination either to disclose or exempt a record or portions thereof.

    When a request includes records that have already been processed, each record must be judged in relation to the exemption provisions of the Act that apply at the time of the new request. Records that were previously disclosed may give rise to new considerations and factors that were not evident for the previous request and should be reassessed. When previous decisions regarding disclosure are reversed because of a change in circumstances, the institution should be prepared to demonstrate that the reversal was clearly warranted and supported by the change in circumstances.

    The following is an example of situations where a precedent does not apply:

    • The first file, submitted by RA, is P-2023-00100.
    • The second file, submitted by RA, is P-2023-00200.
    • RA has a spouse, who we will refer to as RB, and the responsive request package contains both of their personal information interwoven throughout. For file P-2023-00100, the requester, RA, has included a consent form signed by RB. Therefore, instead of applying section 26 to RB’s personal information, the file is released in full to RA as there are no other relevant exemptions or exclusions.
    • For file P-2023-00200, the requester RA, does not have a signed consent form from RB for this request. The ATIP office sent an email to RA, asking whether they would like to provide a copy of a consent form if their file contained someone else’s personal information. The consent form provided in P-2023-00100 cannot be transferred to the new request without express authorization from RB but suggested that consent was reasonably expected to be obtained. However, no response was provided.
    • Without consent, file P-2023-00200 can still be processed, but section 26 should be applied throughout to RB’s information.

    To continue to protect the privacy of individuals and avoid any privacy breaches, it is important to be thorough and not assume that because consent was given in the previous circumstance, that it is a blanket consent for any subsequent requests.

    9.7 Severability

    The principle of severability holds that a record containing exempt information should not, as a whole, be exempted from access if the exempt information can be redacted from it and the rest of the information disclosed. Unlike the ATIA, the Privacy Act does not contain an explicit provision for severability. However, the concept is implicit because subsection 12(1) of the Act gives individuals a right of access only to their own personal information. In addition, the principle of severability is a requirement under 4.2.25.5 of the Policy. The principle of reasonable severability should be followed when reviewing information requested under the Privacy Act.

    In Merck Frosst Canada Ltd. v. Canada (Health), 2012 SCC 3, the Supreme Court of Canada reiterated the accepted key principles for a request made under the ATIA:

    • Severance when processing an ATIA request is mandatory, not discretionary.
    • Severance involves both a semantic and a cost-benefit analysis. The semantic analysis is concerned with whether what is left, after excising exempted material, has any meaning. The cost-benefit analysis considers whether the effort of redaction by the government institution is justified by the benefits of severing and disclosing the remaining information.
    • The purpose of severance is to facilitate access to the most information reasonably possible, while giving effect to the limited and specific exemptions set out in the ATIA.

    Ultimately, according to the Supreme Court of Canada, even where the severed text is not completely devoid of meaning, severance will be reasonable only if disclosure of the unredacted portions of the record would reasonably fulfill the purposes of the ATIA, or in the cases of a personal information request, in accordance with the Policy. Furthermore, where severance leaves only disconnected snippets of releasable information, disclosure of that type of information does not fulfill the purpose of the Act and severance is not reasonable. In these instances, the disconnected snippets should also be redacted, or pages should be withheld in their entirety.

    Although the original purpose of the document may be lost when the exempt information is removed, an exemption cannot be claimed for the entire document as long as there remains some information that is itself intelligible and relevant to the request. Reasonable severability should be established by the intelligibility or usefulness of the document once the exempt portions have been removed. Normally, the smallest unit remaining in a severed document should be a sentence.

    For example, an individual makes a personal information request on a staffing process they participated in. When providing the response package, human resources confirms that the staffing processing is complete and there are no sensitivities in disclosing the personal information to the requester. In the response package, there are email exchanges between human resources, the hiring manager and the candidate (the requester). One of the email chains has a table containing the names of all candidates in the process who passed a written test, along with their language profiles and information about the next steps in the process for setting up interviews. Under section 26, all the rows in the table would be redacted except for the row where the requester’s name appears. The email contains both personal information about the requester and about other individuals, but access can still be granted in a manner that protects the privacy of the other individuals involved through the principle of severability.

    9.8 Non-personal information in responsive records and the application of subsection 12(1)

    The Privacy Act does not require that, when responding to a request, government institutions process information that is not the personal information of the requester. However, records relevant to a request can contain personal information about the requester and other non-personal information. This is especially common for requests that are made by current or former officers or employees of a government institution. For example, an email to a director might contain a rundown of all the current divisional priorities and provide an update on a staffing process where an individual’s name appears. An office of primary interest would be required to provide the email in its entirety in response to a personal information request, but the email could contain a significant amount of information that does not belong to the requester and is not relevant to the request.

    The requester’s personal information should be disclosed unless an exemption or an exclusion under the Act applies. If the non-personal information would be released if the same request was made under the ATIA, the information may be released to the requester instead of having a requester make a similar request under the ATIA. However, if the non-personal information would be severed if the same request was made under the ATIA, the request should be treated differently, as described below.

    Treating records that include both personal and non-personal information this way aligns with the assertion by the Supreme Court of Canada that the ATIA and the Privacy Act:

    are parallel statutes that are designed to work together (Dagg v Canada Minister of Finance, 1997 CanLII 358 (SCC), [1997] 2 SCR 403 at para 47, 148 DLR (4th) 385). The two pieces of legislation contain complementary provisions relating to access to information under government control and are to be interpreted harmoniously in creating a seamless code (Canada (Information Commissioner) v Canada (Commissioner of the Royal Canadian Mounted Police), 2003 SCC 8 at para 22).Footnote 12

    This was further emphasized in VB v. Canada (Attorney General), 2018 FC 394 in which the Federal Court wrote:

    The result should not differ where information, if it were to exist, is requested pursuant to the ATIA instead of the Privacy Act as was done here. As noted above the ATIA and the Privacy Act are to be interpreted harmoniously in creating a seamless code.

    While many of the exemptions are replicated in both acts, there are no equivalent provisions under the Privacy Act for economic interests, third-party information, operations of government, testing methods and audits. This is because such exemptions do not pertain to personal information. If a government institution opts to include non-personal information in a response to a personal information request, going beyond what is required under subsection 12(1) of the Privacy Act, it should not include information that would be exempt if it was requested under the ATIA. The exemptions that are not included in the Privacy Act, because they do not pertain to personal information, but that are in the ATIA, are:

    • section 16.2 for information that must be protected because it was obtained from or created by the Commissioner of Lobbying or on their behalf in the course of an investigation by the Commissioner
    • section 16.3 for information that must be protected because it was obtained or created by an individual who, in performing their functions under the Canada Elections Act, is conducting an investigation, examination, or review
    • section 18 for information related to economic interests that can include trade secrets, financial, commercial, scientific or technical information, and information that could materially injure the financial interest of a government institution
    • section 18.1 for information that includes trade secrets or financial, commercial, scientific or technical information which belongs to and has been treated as confidential by:
      • Canada Post Corporation
      • Export Development Canada
      • Public Sector Pension Investment Board
      • VIA Rail Canada Inc.
    • section 20 for information that includes third party information, including but not limited to, trade secrets, confidential financial, commercial, scientific or technical information, and information used for emergency management plans
    • section 21 for information that relates to certain classes of information about the internal decision-making processes of government, the disclosure of which could interfere with the operations of government institutions
    • section 22 to protect for procedures and techniques involved in testing and auditing, and for details relating to specific tests about to be given and audits about to be conducted if such disclosure would prejudice the use or results of particular tests or audits
    • Section 22.1 for a draft report of an internal audit of a government institution or any related audit working paper if the record came into existence less than 15 years before the request was made
    • Section 24 for information that must be protected as disclosure is restricted as set out in Schedule II of the ATIA

    Once again, the example discussed in section 9.7 where an individual makes a personal information request on a staffing process they participated in, applies. When they sent a request to human resources for a status update, they were only told the process was on hold. This is because, in this hypothetical situation, midway through the staffing process, the institution underwent budget cuts that cut the entire program that was seeking to staff positions. This has not yet been announced to the public. As such, if the request had been made as an ATIA request, the information related to the budget cuts would likely be withheld under paragraph 21(1)(d) of the ATIA.

    The request submitted under the Privacy Act might still disclose the email, in part, that informed the requester that they were successful, but the institution would not provide the information related to the unannounced budget cuts. This information relates to the position and the program and is not the personal information of the requester; as such, the information does not fall into their right of access under subsection 12(1).

    Chapter 5 contains additional guidance on the right of access under subsection 12(1) of the Act.

    9.9 Exemption decision

    Section 4.1.26 of the Directive requires institutions to invoke exemptions by properly applying the provisions of the Act in accordance with relevant jurisprudence. Appendix C of the Directive and the table at the beginning of Chapter 10 list the exemptions and indicates whether they are based on a class test or an injury test, and whether they are discretionary or mandatory.

    The final decision of whether to invoke an exemption should take into account the results of the review, any consultations undertaken and, where necessary, the opinion of the institution’s legal advisor. This decision must be taken by the head of the institution or the officer who has the delegated authority to claim the exemption. The written notification of exemption sent to the requester (see Chapter 6) must be signed by the head of the institution or by the officer who has been delegated this responsibility. If more than one exemption is invoked, all applicable exemptions are cited.

    When another government institution has recommended an exemption of certain information and the decision is to disclose, the institution that was consulted should be informed of the decision prior to disclosure.

    9.10 Marking exemptions

    Paragraph 16(1)(b) of the Act provides that an institution shall state in the notice of refusal to a requester the specific provision of the Act on which refusal was based. Section 4.1.27 of the Directive requires institutions to cite, on the requester’s copy of the records, all exemptions that were invoked, unless doing so would reveal the exempted information or cause the injury upon which the exemption is based to materialize.

    As a general practice, for pages disclosed in part where redactions are applied, the exemption should be indicated in the margin of the record. The demarcation of the redaction should be completed in a manner that enables the requester to see where the redactions were applied, such as in greyscale or black over black and white text, unless doing so would itself reveal information that would warrant exemption under the Act. “Negative redaction,” where the removed section is blanked out, leads to confusion about what has been removed from the page, so it should be avoided. This aligns with 4.1.28 of the Directive, which requires the redacted material to be clearly identified in a manner that is evident. Alternatively, to align with 4.1.27, a covering letter listing the exemptions might be appropriate when, for example, the notation in the margin might in and of itself cause injury.

    The Federal Court held in Canada (Information Commissioner) v. Canada (Minister of National Defence), [1990] 3 F.C. 22 ( No. T‑746‑88) that compliance with subsection 10(1) of the ATIA, which is the equivalent of subsection 16(1) of the Privacy Act, requires a government institution to indicate in the notice of refusal the specific exemption provisions of the various sections of the Act, rather than illustrative or descriptive paragraphs. In this particular instance, the case related to section 15 of the ATIA, but the same principle would also apply to section 21 and subsection 22(1) of the Privacy Act.

    The important principle is for an institution to indicate the specific provision on which an exemption is based, along with the relevant section, subsection or paragraph, when the provisions are not too illustrative or descriptive in nature. For example, in applying section 21 of the Act, the minimum of amount of information provided would be the section and whether the exemption is based on defence, international relations, or subversive or hostile activities. Although the court found that the indication of illustrative or descriptive paragraphs is not legally necessary, it considered the practice to be commendable in many circumstances. However, it would be inadvisable to take this approach when doing so would harm the interest the exemption is trying to protect. For example, if the only exemption invoked on a page was subparagraph 22(1)(b)(ii) (which protects confidential sources of information for law enforcement), this would indicate that the information was supplied by a confidential source, and the requester may be able to use that information to identify the source. The ATIP analyst may want to stamp “paragraph 22(1)(b)” for the release package. However, in the internal processing file, the rationale would identify subparagraph 22(1)(b)(ii) as the exemption invoked, providing information as to how the source could be identified, such as the date and location of the events described on the page.

    To help requesters better understand the nature of the exemptions and exclusions applied to their response package, TBS has published a Privacy Act Plain Language Guide. The sample letters provided in Appendix A include links to this guide.

    9.11 Existence of a record

    Subsection 16(2) of the Act provides that an institution may, but is not required to, indicate whether a record exists. Subsection 16(1) of the Act requires that even if the institution does not confirm that a record exists, an institution must indicate the provision on which refusal of access to the personal information could reasonably be expected to be based if it existed.

    Given the discretionary nature of subsection 16(2) of the Act, institutions should document the reasons refusing to indicate the existence of a record in their processing file. For example, an institution may have a valid reason to invoke subsection 16(2) if acknowledging the existence or non-existence of a record could, by itself, disclose information to a requester. For example, a law enforcement agency that acknowledges that personal information exists may confirm that an investigation is taking place and allow the requester to take actions that compromise an investigation before a decision is made to lay charges.

  • Chapter 10 – Specific exemptions and section 33 of the Privacy Act

    Date updated: 2024-12-09
    ATI Manual Cross-reference

    Preamble

    This chapter covers the mandatory and discretionary exceptions to the right of access described in sections 18 to 28 of the Privacy Act. It also explains other grounds for refusing access to representations found in section 33 of the Privacy Act. Where appropriate, the most recent and relevant case law is cited, and excerpts are sometimes reproduced. When reviewing jurisprudence as part of their analysis, institutions may wish to consult their legal counsel. Please keep in mind that decisions of higher courts take precedence. For additional guidance on the general principles and nature of exemptions, please refer to Chapter 9. TBS prepares annually a summary of key court decisions related to the Access to Information Act and the Privacy Act that may provide additional guidance on exemptions.

    Exception Title or description Mandatory Discretionary Class Injury
    Subsection 18(2) Exempt banks No Yes Yes No
    Subsection 19(1) Personal information obtained in confidence Yes Nochapter 10 table 1 note ** Yes No
    Section 20 Federal-provincial affairs No Yes No Yes
    Section 21 International affairs and defence No Yes No Yes
    Paragraph 22(1)(a) Law enforcement and investigation: personal information was obtained or prepared by an investigative body in the course of an investigation No Yes Yes No
    Paragraph 22(1)(b) Law enforcement and investigation: Injurious to the enforcement of law No Yes No Yes
    Paragraph 22(1)(c) Law enforcement and investigation: injurious to the security of penal institutions No Yes No Yes
    Subsection 22(2) Policing services for provinces or municipalities Yes No Yes No
    Section 22.1chapter 10 table 1 note * Information obtained by Privacy Commissioner Yes No Yes No
    Section 22.2chapter 10 table 1 note * Public Sector Integrity Commissioner Yes No Yes No
    Section 22.3 Public Servants Disclosure Protection Act Yes No Yes No
    Section 22.4chapter 10 table 1 note * Secretariat of National Security and Intelligent Committee of Parliamentarians Yes No Yes No
    Section 23 Security clearances No Yes Yes No
    Paragraph 24(a) Individual sentenced for an offence: disrupt the parole or statutory release No Yes Yes No
    Paragraph 24(b) Individual sentenced for an offence: information obtained in confidence No Yes Yes No
    Section 25 Safety of individuals No Yes No Yes
    Section 26 Information about another individual Yes Nochapter 10 table 1 note ** Yes No
    Section 27 Protected information: solicitors, advocates and notaries No Yes Yes No
    Section 27.1 Protected information: patents and trademarks No Yes Yes No
    Section 28 Medical record No Yes No Yes

    Chapter 10 Table 1 Notes

    Chapter 10 Table 1 Note 1

    The exemption can only be claimed by the government institutions named in the provision.

    Return to chapter 10 table 1 note * referrer

    Chapter 10 Table 1 Note 2

    Where discretion is authorized.

    Return to chapter 10 table 1 note ** referrer

    10.1 Section 18: Exempt banks

    10.1.1 Exemption of personal information contained in an exempt bank

    Subsection 18(1) of the Privacy Act (the Act) provides that the Governor in Council may, by order, designate as exempt certain personal information banks that contain files, all of which consist predominantly of personal information described in section 21 (international affairs and defence) or section 22 (law enforcement and investigation) of the Act.

    The term “predominantly” means that more than half the information in each file qualifies for exemption under section 21 or section 22.

    As of November 2023, there were four orders that designate exempt banks:

    Subsection 18(2) of the Act provides that a government institution may refuse to disclose any personal information that is contained in an exempt bank. This is a discretionary exemption based on a class test. Although personal information in an exempt bank will almost certainly be exempted, the head of the institution has the discretion to disclose.

    When a government institution discloses personal information contained in an exempt bank to another government institution, the other institution cannot claim subsection 18(2) to exempt that personal information unless it also has an exempt bank for that type of information. This does not mean that the other institution must automatically disclose the personal information pursuant to a request, but rather consider which other exemption provisions apply in place of 18(2).

    10.1.2 Requirements of section 16 of the Privacy Act when applying section 18

    In some instances, an institution may wish to neither confirm nor deny the existence of a record by invoking subsection 16(2) of the Privacy Act.

    The Federal Court conducted a detailed and thorough analysis of the provisions of the Privacy Act and exempt information banks in Dzevad Cemerlic MD v. Canada (Solicitor General) 2003 FCT 133. The Court stated that section 18 does not give a government institution the power to adopt a policy of refusing to confirm or deny the existence of information in an exempt bank. In order to invoke such a policy, a government institution must rely on subsection 16(2). Adopting this type of policy is justified when revealing the existence or non-existence of information would in itself be an act of disclosure. Citing the decision Zanganeh v. Canada (Canadian Security Intelligence Service), [1989] 1 F.C. 244 (T.D.), and a similar position reaffirmed in Westerhaug v. Canadian Security Intelligence Service, 2009 FC 321, the Federal Court stated that another circumstance that would justify the adoption of this type of policy is where “the very acknowledgment of the existence of any information in the bank, whether or not such information exists, can—and certainly would—compromise the security of Canada by providing a referential insight, a chink in the armour of secrecy which the Canadian service must maintain[...].”The Court found that the Canadian Security Intelligence Service acted reasonably in adopting a uniform policy of neither confirming nor denying the existence of information in exempt bank 045. (Exempt bank 045, which is no longer in use, had contained information on individuals who are or were under investigation by the Canadian Security Intelligence Service on the suspicion that they have been involved in activities that constitute a threat to the security of Canada.)

    Care and consideration should be made to ensure that there is no acknowledgement of the existence of information while processing a request. A requester could infer the existence of information if, for example, the institution takes an extension for interference with operations (further review required to determine exemptions or large volume of pages) or to undertake consultations. In the case of Ternette v. Canada (Solicitor General) (T.D.), [1992] 2 FC 75, an inadvertent public admission of the existence of information necessitated a further review of material maintained in exempt bank and portions of personal information were released to the applicant.

    10.2 Section 19: Personal information obtained in confidence

    10.2.1 Exemption of personal information obtained in confidence

    Subsection 19(1) is intended to protect the federal government’s ability to obtain personal information from other governments. It gives assurance to other levels of government that they will retain control over the disclosure of information they provide to the federal government on a confidential basis.

    Under this exemption, the head of a government institution must refuse to disclose any personal information obtained in confidence from the following, collectively referred to as the source listed in the exemption:

    “(a) the government of a foreign state or an institution thereof”

    Examples include the United States (a foreign state) and the Internal Revenue Service (an institution of the United States). The exemption does not include personal information obtained from constituent parts of foreign states, for example, the state of New York.

    “(b) an international organization of states or an institution thereof”

    An “international organization of states” means any organization with members representing and acting under the authority of the governments of two or more countries. Examples are the United Nations, the North Atlantic Treaty Organization (NATO) and the International Monetary Fund. Examples of institutions of an international organization of states are the United Nations Children’s Fund (UNICEF) and the World Health Organization, which are agencies of the United Nations.

    “(c) the government of a province or an institution thereof”

    This includes the governments of Canada’s 10 provinces and the three territories and their ministries, departments and agencies.

    “(d) a municipal or regional government established by or pursuant to an Act of the legislature of a province or an institution of such a government”

    This includes the governments of municipalities created by legislation and by regulations.

    “(e) the council, as defined in the Westbank First Nation Self-Government Agreement given effect by the Westbank First Nation Self-Government Act

    “(e.1) the Whitecap Dakota Government, as defined in section 2 of the Self-Government Treaty Recognizing the Whitecap Dakota Nation / Wapaha Ska Dakota Oyate Act

    “(f) the council of a participating First Nation as defined in subsection 2(1) of the First Nations Jurisdiction over Education in British Columbia Act.”

    “(g) a First Nation Government or the Anishinabek Nation Government, as defined in section 2 of the Anishinabek Nation Governance Agreement Act, or an Anishinaabe Institution, within the meaning of subsection 1.1 of the Agreement, as defined in section 2 of that Act.

    10.2.2 Application

    Three requirements must be met for subsection 19(1) to apply:

    1) The personal information must have been obtained “in confidence.”

    The term “in confidence” is usually applied to information obtained on an understanding that it must remain confidential, that is, the information is not available for dissemination beyond those individuals within the government institution that have a need to know the information. Information may be obtained in confidence explicitly or implicitly.

    Information is “explicitly” provided in confidence when the government or governmental agency or organization providing the information expressly requests or indicates that the information must be kept confidential. The intention to provide information in confidence can be stated in the record, an agreement or a verbal request. Practically speaking, it is advisable to note within the written records of a verbal request.

    Information is “implicitly” provided in confidence when an intention that the information be treated as confidential can be implied from the circumstances in which it was provided, for example, from past practices followed with respect to such information, policies and so on.

    The Directive on Privacy Practices requires that when sharing personal information, government institutions must prepare an information sharing agreement to ensure appropriate privacy protections are in place. In other words, a written record of understanding between government parties outlines the terms and conditions under which the personal information is shared between the parties. To assist institutions in this regard, the Treasury Board of Canada Secretariat has published the Guidance on Preparing Information Sharing Agreements Involving Personal Information.

    Copies of personal information received in confidence by a government institution may be found in the files of one or more government institutions. All copies of the information supplied in confidence must be protected from disclosure.

    The following are examples of personal information obtained in confidence from a specified level of government:

    • personal information obtained by the Canadian Security Intelligence Service from municipal police forces
    • personal information from INTERPOL concerning individuals suspected of being a threat to the security of Canada

    2) The personal information must have been obtained “from” another government or an international organization of states or an institution thereof.

    3) The personal information must have been obtained from “another government or an international organization of states or an institution thereof.”

    For the information to be “obtained,” it must be acquired from one of the sources within the categories set out in paragraphs (a) through (g).

    It does not matter whether the record originates from the Government of Canada or from a body described in subsection 19(1) as long as the personal information it contains was supplied by a body described in subsection 19(1). Therefore, the exemption may be invoked when the disclosure of information in a record originating from the Government of Canada would reveal personal information received from a body described in subsection 19(1), for example, if a province gathered information from CBSA, combined it with its own information, and shared it with a government institution.

    10.2.3 Time limitation

    There is no time limit for the application of subsection 19(1). In other words, the exemption applies irrespective of the age of the records.

    10.2.4 Permissible disclosure

    Subsection 19(2) of the Act provides that the head of a government institution may disclose any personal information described in subsection 19(1) if the government, organization or institution from which the information was obtained:

    • (a) consents to the disclosure; or
    • (b) makes the information public.

    This subsection gives some flexibility to government institutions in dealing with requests for access to personal information given in confidence. In applying subsection 19(1), government institutions must consider the exercise of this discretion to disclose. In the decision Ruby v. Canada (Solicitor General) (C.A.), [2000] 3 FC 589, reviewed on other grounds in 2002 SCC 75, the Court of Appeal stated that to properly apply the exemption, the head of a government institution must make a reasonable effort to seek the consent of the foreign government that provided the information. That said, the Court added that it is not necessary for a government institution to seek consent if it is acting according to an established protocol that respects the spirit and the letter of the legislation. For example, there are factors for and against seeking consent later in this section that institutions may use to develop procedures or protocols.

    This interpretation of the exemption was further emphasized in Layoun v. Canada (Attorney General), 2014 FC 1041, at paragraphs 51 to 53. In this section 41 Application, the applicant had submitted a request for access to their personal information contained in his Preventive Security File. The respondent refused disclosure of most of the information based on the exemptions found in paragraphs 19(1)(c), 19(1)(d), 22(1)(a), 22(1)(c) and section 26 of the Privacy Act. The Court wrote, “The Federal Court of Appeal has held that seeking consent under that subsection is subject to practical considerations, and government institutions may make protocols to deal with the process of seeking consent.[...] Those protocols must respect the nature of the Privacy Act. The onus is only to make ‘reasonable efforts’ to seek consent.” The Court found that “the correspondence in the Respondent’s authorities from the Montreal Police Service indicates that consent to disclose the records would have been withheld if sought. Those considerations, along with concerns about security and safety, indicate that [Correctional Service Canada] reasonably exercised its discretion to refuse disclosure and it acted reasonably in not seeking the consent of the relevant third parties.”

    For institutions that regularly have information that is obtained in confidence from one of the sources within the categories set out in paragraphs (a) through (g), they may wish to develop internal procedures to establish common scenarios and build rationales to support their exercise in discretion under paragraph 19(2)(a).

    Factors for seeking consent may include:

    • the subject of the information obtained that has been made public
    • the age of the information
    • the routine nature of the personal information or if its context is not sensitive

    Factors against seeking consent may include:

    • international affairs:
      • the information was obtained from the source listed in the exemption but contains subject matter about another organization provided in confidence
      • the information was not obtained from the requester’s country of origin but rather it was provided by a different source listed in the exemption, such as NATO
      • there are international conventions in motion, such as the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters
      • the source does not have similar access or privacy legislations and therefore no infrastructure to accept consultations
    • Intelligence, defence and security:
      • the personal information relates to the commission of an offence
      • if released, the personal information may cause harm to the individual
      • may be related to extradition treaties

    However, even if the conditions set out in subsection 19(2) are met, an institution may still withhold personal information given in confidence by one of the sources within categories set out in paragraphs (a) through (g). This was confirmed in Do-Ky v. Canada (Minister of Foreign Affairs and External Trade) (T.D.), [1997] 2 FC 907, reviewed on other grounds in [1999] F.C.J. No. 673 (QL) (FCA) Docket A-200-97, where the Federal Court stated that subsection 13(2) of the Access to Information Act (ATIA) (which is equivalent to subsection 19(2) of the Privacy Act) does not require the release of records containing information that has been made public. Subsection 13(2) of the ATIA simply offers the possibility of disclosing documents that might otherwise be exempted by subsection 13(1). The Court cautioned: “In the general structure of the scheme however, if those documents are not to be released, the head of the government institution must be able to give reasons justifying the decision not to release.”

    The Court also made the following statements:

    the second-party government asked for confidentiality and Canada cannot breach the trust placed in it without suffering considerable harm to its reputation in the international community and ipso factoFootnote 1 to its international relations.[...]

    [...]once a state requests that diplomatic correspondence remain confidential there is no need for the Canadian government to assess the reasons of that country. It is sufficient if they have made the request of the Canadian government. Indeed, it would be a diplomatic lapse were the Canadian government to sit in judgement of the rationale of the foreign state except in the most extreme circumstances.

    Institutions may consider if section 21 (International affairs and defence) of the Act (subsection 10.4) also applies to information that is exempt pursuant to paragraphs 19(1)(a) and (b), and whether section 20 (Federal-provincial affairs) (subsection 10.3) also applies to information that is exempt pursuant to paragraph 19(1)(c).

    10.3 Section 20: Federal-provincial affairs

    10.3.1 Exemption of personal information related to federal-provincial affairs

    Section 20 of the Act is a discretionary exemption based on an injury test that aims to protect the role of the federal government in its conduct of federal-provincial affairs. To invoke this exemption, a government institution should be convinced that the disclosure of specific personal information could reasonably be expected to be injurious to the conduct, by the federal government, of federal-provincial affairs.

    For the purposes of this exemption, the “Government of Canada” is not restricted to the definition of “government institution” found in section 3 of the Act.

    The broader term encapsulates both departments individually and collectively, in the sense that the release of information by one department could be injurious to the conduct for other departments in their role in federal-provincial affairs.

    The related paragraph 19(1)(c) of the Act exempts information provided in confidence from “the government of a province or an institution thereof.” This is understood to include the governments of Canada’s 10 provinces and the three territories and their ministries, departments and agencies. For section 20 to be applicable, the harm must be to the conduct of the affairs between the government and one or more those institutions listed, but not necessarily the province to which the information relates.

    As noted in subsection 10.2, paragraph 19(1)(c) protects as a class all personal information that a province has supplied in confidence to the federal government. The use of section 20 is restricted to specific personal information, the release of which could be harmful to the conduct, by the federal government, of federal-provincial affairs. Section 20 may apply to information created by the federal government or obtained from other sources, for example, from an agent or a consulting firm provided that the information relates to the conduct of federal-provincial affairs.

    In Information Commissioner v. Prime Minister of Canada, [1993] 1 F.C. 427, the Federal Court ruled that to invoke section 14, the equivalent exemption under the ATIA, the government institution had to meet the “reasonable expectation of probable harm” test and, as such, must be satisfied that releasing the specific information could be damaging or prejudicial to the conduct of, or the federal government’s role in, federal-provincial affairs. The Court held that the alleged harm must be more than speculative and more than possible; the head of the government institution must be able to show that probable or actual harm would result from the disclosure. In fact, to successfully invoke the exemption, the head of the government institution must establish a clear and direct linkage between the disclosure of specific information and the alleged harm. The harm should articulate how the release of the information would hurt or damage affairs, understood to mean matters such as formal negotiations, ongoing relationships and exchanges between government institutions and the provinces.

    It is rare that personal information will be related to federal-provincial affairs. However, any injury regarding federal-provincial affairs is most likely where the federal government is either about to commence or is in the midst of conducting specific negotiations, deliberations or consultations. There may, however, be some types of personal information that continue to be sensitive beyond these formal exchanges. The release of such information could jeopardize the position of the federal government in conducting federal-provincial affairs in the future or seriously affect its relations with one or more provincial governments. Personal information that continues to be sensitive should be protected until it its release can no longer reasonably be expected to cause injury.

    10.3.2 Consultation

    Access to Information and Privacy (ATIP) offices should consult with the ATIP office of the Privy Council Office before disclosing information pertaining to federal-provincial affairs if they require more information for the proper exercise of discretion or if they intend to disclose sensitive information.

    10.4 Section 21: International affairs and defence

    10.4.1 Exemption of personal information related to international affairs, defence and national security

    Section 21 of the Act is a discretionary exemption based on an injury test that is intended to protect three general public interest areas where the disclosure could reasonably be expected to be injurious to the following:

    1. The conduct of international affairs: This includes not only state-to-state affairs, but also commercial, cultural or scientific links established by citizens with counterparts in other countries.
    2. The defence of Canada or any state allied or associated with Canada: An “allied state” is one with which Canada has concluded formal alliances or treaties. An “associated state” is a state with which Canada may be linked for trade or other purposes outside the scope of a formal alliance.
    3. The detection, prevention or suppression of subversive or hostile activities: This exemption protects specific types of information pertaining to the security of Canada.

    These three general areas of public interest can be considered independently even though they are closely and intimately interrelated and frequently overlap.

    10.4.2 Definitions

    Section 21 incorporates by reference subsections 15(1) and 15(2) of the ATIA, which are essential for interpreting and applying this exemption.

    Subsection 15(2) of the ATIA defines the terms “defence of Canada or any state allied or associated with Canada” and “subversive or hostile activities.”

    “Defence of Canada or any state allied or associated with Canada” includes, but is not limited to, the efforts of Canada and of foreign states toward the detection, prevention or suppression of activities of any foreign state directed toward an actual or potential attack or other act of aggression against Canada or any state allied or associated with Canada.

    The definition of “subversive or hostile activities” in the ATIA reads as follows:

    • (a) espionage against Canada or any state allied or associated with Canada,
    • (b) sabotage,
    • (c) activities directed toward the commission of terrorist acts, including hijacking, in or against Canada or foreign states,
    • (d) activities directed toward accomplishing government change within Canada or foreign states by the use of or encouragement of the use of force, violence or any criminal means,
    • (e) activities directed toward gathering information used for intelligence purposes that relates to Canada or any state allied or associated with Canada, and
    • (f) activities directed toward threatening the safety of Canadians, employees of the Government of Canada or property of the Government of Canada outside Canada.

    Two of the three public interests mentioned in the introductory paragraph of subsection 15(1) of the ATIA are defined in subsection 15(2). It is important to note that “defence of Canada or any state allied or associated with Canada” is defined non-exhaustively because of the use of the word “includes.” The definition, therefore, does not limit the exemption to the listed types of information. However, the phrase “subversive or hostile activities” is defined exhaustively because of the use of the word “means.” The exemption may be invoked only for the specific activities listed in the definition. Personal information pertaining to other security or intelligence activities, such as security screening, immigration and citizenship vetting, domestic vital points and security inspections, cannot be exempted under this provision unless the information relates to one of the activities outlined in paragraphs 15(2)(a) to (f) of the ATIA or if it is in section 21.

    10.4.3 Types of information

    Section 21 refers to paragraphs 15(1)(a) to (i) of the ATIA to illustrate the specific types of information that are likely to be covered by the exemption. This list of examples illustrates only the types of information that could give rise to an injury to one of the three specified interests.

    Some of the examples set out in subparagraphs 15(1)(a) to (i) of the ATIA may not apply to personal information (for example, information on the quantity, characteristics, capabilities or deployment of weapons). This, however, does not mean that the disclosure of information about an identifiable individual may never cause the type of injury described in these paragraphs. It is conceivable, for instance, that the disclosure of the fact that an individual with known experience in a specialized field (that is, intelligence, counterterrorism, weapons) is engaged in activity may be sufficient to cause injury to one of the three interests protected by section 21. Care and consideration should be made when information that falls into subparagraphs 15(1)(a) to (i) of the ATIA is interwoven with the personal information requested.

    Paragraphs 15(1)(c) and 15(1)(d) of the ATIA have a higher likelihood of including information about individual persons and are most likely to apply under section 21 of the Privacy Act. They list the following types of information:

    • (c) [any information] relating to the characteristics, capabilities, performance, potential, deployment, functions or role of any defence establishment, of any military force, unit or personnel or of any organization or person responsible for the detection, prevention or suppression of subversive or hostile activities.

    Paragraph (c) deals with defence establishments, military and national security personnel. When examining if the personal information may be released, consideration can be made to the interactions with the establishments and other personnel. Although an individual may be responsible for a piece of equipment, for example, the location and safeguards for it would not be information that could be released. The exemption looks to protect the ability to defend or resist attack, and factual and contextual information could be used to harm or injury the defence of Canada or any state allied or associated with Canada.

    • (d) [any information] obtained or prepared for the purpose of intelligence relating to
      • the defence of Canada or any state allied or associated with Canada, or
      • the detection, prevention or suppression of subversive or hostile activities.

    Paragraph (d) deals with intelligence concerning defence and national security. Information “obtained or prepared for the purpose of intelligence” encompasses both the raw data collected and the refined product or analysis. Intelligence describes information gathered in a covert manner as part of the ongoing efforts to defend, detect, prevent or suppress subversive or hostile activities. The information can relate to an individual or groups of individuals or organizations. Although the information is likely not collected as part of a specific investigation, previous incidents that may result in charges being brought forward on individuals may draw out a need for surveillance. Within intelligence gathering, individuals who are suspected of espionage may be targeted. This is the practice of spying or using individuals to secretly collect and report information on activities and movements of another. Espionage can inform other subversive activities such as sabotage, causing deliberate damage to something; or terrorism, acts of serious violence or activities that incite fear that may be used to coerce government bodies or organization to take or cease certain actions.

    10.4.4 Application

    The types of information listed in subsection 15(1) of the ATIA will not automatically be exempted under section 21 of the Privacy Act. For the exemption to apply to any category of information described in the provision, the head of a government institution must be able to demonstrate that there is a reasonable expectation of probable harm to one of the three specified public interests flowing from disclosure.

    When invoking section 21, it is not necessary to refer to the specific descriptive paragraph of subsection 15(1) of the ATIA. In the decision Canada (Information Commissioner) v. Canada (Minister of National Defence), [1990] 3 F.C. 22 , the Federal Court stated that “what is required, in the context of section 15, is that the requester be given notice as to whether the reason for refusal is because a disclosure would be (1) injurious to the conduct of international affairs or (2) injurious to the defence of Canada or any state allied or associated with Canada, or (3) injurious to the detection, prevention or suppression of subversive or hostile activities.”

    The following decisions concerning section 15 of the ATIA are helpful in applying section 21 of the Privacy Act.

    In the decision Al Yamani v. Canada (Minister of Citizenship and Immigration), [2000] 3 F.C. 433 (T.D.), the Federal Court characterized “subversive or hostile activities” as activities that “may or may not involve violence and that target Canada or any state allied or associated with Canada. It [the definition] does not distinguish between activities which would be considered subversive as opposed to hostile; rather it lumps together a broad mix of activities ranging from intelligence-gathering to terrorism.”

    In cases where a foreign state has expressed concern and wishes diplomatic notes or correspondence not to be released, this opposition alone is likely sufficient to justify the non-disclosure even when or if parts of the sought information have already been accessed by the requester. In the decision Do-Ky v. Canada (Minister of Foreign Affairs and External Trade), [1997] 2 F.C. 907 (T.D.), the Federal Court made the following statements:

    In assessing the injury to be expected on release of the notes it was proper for the Respondent to consider normal diplomatic practice as this would be the best standard by which to judge probable harm.

    There is no evidentiary burden on the Canadian government to establish that the diplomatic note sent to Canada is not public. The government is not, in these circumstances, asked to prove a negative premise.[...]

    The second-party government asked for confidentiality and Canada cannot breach the trust placed in it without suffering considerable harm to its reputation in the international community and ipso facto to its international relations.

    Once a state requests that diplomatic correspondence remain confidential there is no need for the Canadian government to assess the reasons of that country. It is sufficient if they have made the request of the Canadian government. Indeed, it would be a diplomatic lapse were the Canadian government to sit in judgement of the rationale of the foreign state except in the most extreme circumstances.

    That said, it is important to note that in the decision X v. Canada (Minister of National Defence), [1992] 58 F.T.R. 93 (F.C.T.D.), the Federal Court was of the view that it would be unreasonable to conclude that certain documents dated 1941 and 1942 and related to a time when Canada was engaged in a world war could reveal anything pertinent to the conduct of Canada’s international relations and its national defence 50 years after the fact.

    In the decision Attaran v. Canada (Foreign Affairs), 2011 FCA 182, the issue before the Court was whether the discretion under subsection 15(1) of the ATIA was exercised and, if so, whether the discretion was exercised reasonably. The Federal Court of Appeal held that the evidence before the Court must demonstrate that the decision maker exercised the discretion conferred under subsection 15(1). The burden of proof may fall to the government institution to establish that discretion was exercised in a reasonable manner, particularly in cases where the requester does not have access to the full records and part of the proceedings are in camera.Footnote 2 The Court examined what evidence would be needed to demonstrate that the decision maker exercised their discretion conferred under subsection 15(1). The Court made the following statement:

    Just as the absence of express evidence about the exercise of discretion is not determinative, the existence of a statement in a record that a discretion was exercised will not necessarily be determinative. In every case involving the discretionary aspect of section 15 of the Act, the reviewing court must examine the totality of the evidence to determine whether it is satisfied, on a balance of probabilities, that the decision-maker understood that there was a discretion to disclose and then exercised that discretion.

    The prior public disclosure of the information was identified as a relevant factor to be considered in the exercise of the discretion. Although this may not be true in all cases, the prior public disclosure of information provided an incentive for the exercise of discretion to release the information to the requester.

    Institutions may consider if section 19 (Personal information obtained in confidence) of the Act (subsection 10.2) would also apply to personal information that is exempt pursuant to the equivalent ATIA provision 15(1)(h).

    10.4.5 Consultation

    It is no longer mandatory to consult the federal institution most concerned before deciding whether to disclose or exempt information under section 21. Section 4.1.24 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive) instructs institutions to carry out inter-institutional consultations only when the processing institution requires more information for the proper exercise of discretion to withhold or only when it intends to disclose potentially sensitive information. When necessary, institutions should consult:

    • Global Affairs Canada when determining whether to exempt or disclose any information that could reasonably be expected to be injurious to the conduct of international affairs;
    • National Defence when determining whether to exempt or disclose any information that could reasonably be expected to be injurious to the defence of Canada or any state allied or associated with Canada; or
    • the government institution having the primary interest, that is, the Canadian Security Intelligence Service, Global Affairs Canada, National Defence, Public Safety Canada or the Royal Canadian Mounted Police (RCMP) when determining whether to exempt or disclose any information that could reasonably be expected to be injurious to the detection, prevention or suppression of subversive or hostile activities.

    10.5 Section 22: Law enforcement and investigation

    10.5.1 Exemption of personal information related to law enforcement, investigations and security of penal institutions

    Section 22 of the Act contains exemptions that aim to protect the following:

    • effective law enforcement, including criminal law enforcement;
    • the integrity and effectiveness of other types of investigative activities,Footnote 3 for example, ordinary administrative investigations under an Act of Parliament, investigations in regulatory areas, and air accident investigations; and
    • the security of penal institutions.

    Subsection 22(3) of the Act defines the term “investigation” for the purpose of paragraph 22(1)(b), discussed in further detail in subsection 10.5.6.

    10.5.2 Paragraph 22(1)(a)

    Paragraph 22(1)(a) of the Act is a discretionary class test exemption that protects the integrity of investigations and, more specifically, personal information obtained or prepared in the course of a lawful investigation conducted by an investigative body specified in Schedule III of the Privacy Regulations. This information is protected with a class test because of the difficulty in applying an injury test exemption to law enforcement records when virtually all personal information is of a sensitive nature. ATIP offices may wish to confirm with their Offices of Primary Interest if any of their investigative activities fall within Schedule III. This can assist newer team members to easily recognize if 22(1)(a) or 22(1)(b) may be considered when analyzing records.

    Before the exemption can be claimed, the following three conditions must be met:

    1. The personal information was “obtained or prepared,” meaning it must have been acquired for use by an investigative body listed in Schedule III of the Privacy Regulations.

      This does not mean that only those government institutions or parts thereof that are investigative bodies listed in the applicable schedule may invoke the exemption. Other institutions may claim the exemption, provided that the record meets these conditions.

    2. The personal information was obtained or prepared in the course of a lawful investigation.

      In the decision Canada (Minister of Public Safety and Emergency Preparedness) v. Maydak, 2005 FCA 186, the Federal Court of Appeal held that the term “investigation” as it is used in paragraph 22(1)(a) must be given a broad meaning. “Investigation” should be read in its ordinary sense and includes “the action of investigating; the making of a search or inquiry; systematic examination; careful or minute research.”

      The added precision is that the investigation itself must be sanctioned or not forbidden by law. It does not, however, address the issue of the legality of techniques used in the course of a lawful investigation or the issue of whether evidence has been illegally obtained.

    3. The investigation pertains to:
      1. the detection, prevention or suppression of crime;
      2. the enforcement of any law of Canada or a province; or
      3. activities suspected of constituting threats to the security of Canada within the meaning of the Canadian Security Intelligence Service Act.

    Paragraph 22(1)(a) and its subparagraphs apply to personal information obtained in the course of investigations conducted under the Criminal Code or investigations of any other illicit activities prohibited under federal or provincial law, including municipal laws.

    Subparagraph 22(1)(a)(i) refers to crime and applies to investigations undertaken for the purposes of enforcing the Criminal Code.

    Subparagraph 22(1)(a)(ii) refers to investigations of activities prohibited under federal or provincial laws. These activities can include crimes, and so there is some overlap between subparagraphs 22(1)(a)(i) and (ii). The activities referred to in subparagraph 22(1)(a)(ii) are primarily those punishable as offences under federal or provincial law. The term “law of a province” includes municipal laws.

    Subparagraph 22(1)(a)(iii) refers to activities suspected of constituting threats to the security of Canada within the meaning of the Canadian Security Intelligence Service Act. The exemption is not limited to information collected by the Canadian Security Intelligence Service, but can be claimed by one of the other investigative bodies listed in Schedule III of the Privacy Regulations provided that the other criteria set out in paragraph 22(1)(a) are met.

    10.5.2.1 Time limitation on paragraph 22(1)(a)

    Paragraph 22(1)(a) applies only to records that came into existence less than 20 years prior to the request. This does not mean that records covered by this exemption must automatically be disclosed pursuant to a personal information request once they are 20 years old. Records that are more than 20 years old automatically fall outside the protection of paragraph 22(1)(a), so paragraph 22(1)(b) can be applied if the test set out in that paragraph is met and if there is still a need to protect them.

    In the decision Fontaine v. Royal Canadian Mounted Police, 2009 FCA 150, the Federal Court of Appeal stated that paragraph 16(1)(a) of the ATIA (which is equivalent to paragraph 22(1)(a) of the Privacy Act) indicated that the 20-year time limit is calculated from the date on which the personal information request is made and not from the date on which that request is subject to a subsequent final decision.

    10.5.2.2 Use of discretion on paragraph 22(1)(a)

    Despite its class nature, paragraph 22(1)(a) is a discretionary exemption. This flexibility is meant to temper the broad nature of the class test, and the head of the institution must exercise discretion in determining whether personal information that falls within the provision may nevertheless be disclosed. If, after balancing the reasons for release and the reasons against release, the head has reasonable cause to believe that the personal information should not be disclosed, they have the discretion to exempt this information. While not an injury-based exemption, institutions may wish to draw on the types of rationales built when protecting information under 22(1)(b) or under 16(1)(c) of the ATIA. For example, institutions can assess how releasing the personal information might be injurious to the enforcement of the law when weighing the factors for or against release, such as the precise methods of how information was obtained in the course of an investigation.

    10.5.2.3 Consultation on paragraph 22(1)(a)

    The exemption under paragraph 22(1)(a) follows the record. In other words, the exemption can be applied by an institution that is not an investigative body listed in the Privacy Regulations provided that the record was prepared by, or at one point came into the hands of, such an investigative body in the course of an investigation of an activity described in paragraph 22(1)(a). For example, Public Safety Canada can claim an exemption under paragraph 22(1)(a) for a report that it holds and that was originally prepared by the RCMP in the course of a narcotics investigation.

    It may be necessary for the processing institution to consult the investigative body that originally obtained or prepared the information when they require more information for the proper exercise of discretion when withholding the information or if they intend to disclose personal information. However, this consultation is not mandatory and should be limited only to circumstances where additional information about the investigation is required, or for additional context about what the individual requesting the personal information may already know.

    10.5.3 Paragraph 22(1)(b)

    Paragraph 22(1)(b) of the Act is a discretionary exemption based on an injury test that aims to protect law enforcement and investigations. The paragraph provides that a government institution may refuse to disclose personal information that, if disclosed, could reasonably be expected to be injurious to the enforcement of any law of Canada or a province, or to the conduct of lawful investigations. Subparagraphs (i), (ii) and (iii) provide examples of the types of information to which this exemption may apply. The examples specify information:

    • (i) relating to the existence or nature of a particular investigation,
    • (ii) that would reveal the identity of a confidential source of information, or
    • (iii) that was obtained or prepared in the course of an investigation.

    The types of information cited in this provision are illustrative only, and other types of information can qualify for the exemption.

    This exemption may apply to information that is either:

    1. Injurious to the enforcement of any law of Canada or a province: This supplements the class test exemption for law enforcement information found in paragraph 22(1)(a). The exemption can apply to:
      • the enforcement of federal and provincial regulatory legislation prohibiting certain types of activities or behaviour, such as the enforcement of the Hazardous Products Act
      • other types of investigations, such as taxation audits conducted by the Canada Revenue Agency
      • the enforcement of civil law remedies for prohibited activities or behaviour, such as those under the Canadian Human Rights Act
      • personal information that was obtained or prepared outside a specific investigative process, for example, information on detecting tax frauds or on computer programs used in law enforcement
      • personal information that would qualify under paragraph 22(1)(a), except that it came into existence 20 or more years before the request
    2. Injurious to the enforcement of any federal or provincial law or the conduct of a lawful investigation: This protects the integrity and effectiveness of lawful investigations. Although there may be some overlap between the enforcement of any law and the conduct of lawful investigations, they should be treated distinctly, as there may be some information about the enforcement of a law that is not about a lawful investigation.

    Examples include the following:

    • investigations undertaken to determine the cause of an accident but not to lay charges or assess blame for the purposes of a civil remedy
    • investigations into whether a person with a criminal record should be granted a pardon
    • investigations of unacceptable use of electronic networks, harassment complaints or grievances

    Subparagraph 22(1)(b)(ii) may also be claimed to protect the identity of persons who provide confidential information to investigators, as well as information from which their identity could be determined. This applies if the disclosure could impair their candour or willingness to be forthcoming and adversely affect investigative processes. When applying this exemption, however, care must be taken to distinguish between a witness and a confidential source. An identity of a confidential source of information may be revealed, if, for example:

    • name, address, identifying characteristics are disclosed
    • the information lends itself to drawing accurate inferences about the identity of the individual
    • disclosure, in combination with other information, can reveal the identity of the individual

    The type of investigation to which this exemption can be applied is limited in two ways:

    1. The investigation must be lawful. This means that it must not be forbidden by or be contrary to law.
    2. The investigation must come within the definition of the term in subsection 22(3) of the Act. “Investigation” is more fully defined in subsection 10.5.6 of this chapter.

    Other types of activities not specifically authorized by federal law or undertaken for the purposes of administering or enforcing federal law and that are sometimes described as investigative in nature, such as program evaluations, internal audits and other such studies and analyses, would not qualify as investigations under subsection 22(3) and, therefore, could not be exempted under this provision.

    An investigation does not need to be presently ongoing for the exemption to apply. In Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, [2002] 2 S.C.R. 773, the Supreme Court of Canada held that paragraph 22(1)(b) should not be interpreted more narrowly than permitted by the language chosen by Parliament. The Court ruled the exemption to mean that the reasonable expectation of injury to future investigations is a ground for exempting information. The Court also emphasized that “there must be a clear and direct connection between the disclosure of specific information and the injury that is alleged.” The Court stated that “the sole objective of non-disclosure must not be to facilitate the work of the body in question; there must be professional experience that justifies non-disclosure.”

    The decision Canada (Privacy Commissioner) v. Canada (Labour Relations Board), [1996] 3 F.C. 609 (T.D.), affirmed in 2000 CanLII 15487 (FCA) examined the refusal to disclose personal information on the basis that the release of the information would be injurious to the conduct of a lawful investigation by linking the disclosure to the harm, as follows:

    the respondent met the burden placed upon it by paragraph 22(1)(b) and established that disclosure of the notes, by revealing the mental processes and ultimately, the decision-making processes of its members, would compromise its operations. The workings of the [Board] as an adjudicative tribunal called upon to dispose of substantive rights would be impeded to the point that a reasonable expectation of probable harm to the performance of its statutory functions under the Code would result from the requested disclosure. The regulated disclosure of hearing notes under the Privacy Act would take away from the [Board] a tool that is essential to the performance of its duty. If the notes are not exempt from disclosure, any “personal information” contained therein, including all expressions of opinions pertaining to litigants, lawyers and witnesses would, by law, have to be collated and retained in an information bank by the Board for at least two years. That prospect raised a reasonable expectation of probable harm to the performance by the Board of its duties under the Code.

    The decision also raised the issue of control, which is discussed further in Chapter 5 of this manual.

    10.5.3.1 Consultation on paragraph 22(1)(b)

    It is not mandatory to consult the federal institution most concerned before deciding whether to disclose or exempt information under paragraph 22(1)(b). In fact, subsection 4.1.24 of the Directive instructs institutions to carry out inter-institutional consultations with respect to paragraph 22(1)(b) only when the processing institution requires more information for the proper exercise of discretion to withhold or only when it intends to disclose sensitive information.

    Where necessary, government institutions should consult with the investigative body or other government institution having primary interest in the law being enforced or the investigation being undertaken. The investigative body may also advise on any considerations into the applicability of subsection 12(1), where information is not personal in nature but relates instead to investigative techniques. Alternatively, institutions that consistently hold the portions of the personal information may choose to develop internal procedures to verify the status of an investigation to determine if release of the personal information would be injurious.

    10.5.4 Paragraph 22(1)(c)

    Paragraph 22(1)(c) is a discretionary exemption based on an injury test designed to protect information, the disclosure of which could reasonably be expected to be injurious to the security of penal institutions. Non-exhaustive examples are:

    • plans of penitentiaries that could be useful in an escape attempt
    • information that could be used to instigate a riot
    • information about the location of arms storage facilities within the penitentiary

    While the information above may not be personal, it may be interwoven with personal information. Careful analysis should be completed when reviewing records to ensure that that type of information is not released to the individual as part of their personal information request.

    Information should not be limited to only the facilities themselves but the interaction with and within the facilities. Careful consideration should be given to factual information about the facilities interwoven with information about the individual. Non-exhaustive examples include:

    • how and when shift changes are conducted could lend themselves to a greater understanding of when there is the greatest opportunity for escape
    • key exchanges
    • incidents of property destruction (for example, damage to doors or locking mechanisms)
    • intervention of an Emergency Response Team
    • external threats
    • storage closets and their contents
    • locations of cameras, including blind spots
    • building infrastructure (electrical panels, water pipes, gas)

    Institutions may consider if section 25 (Safety of individuals) of the Act (subsection 10.12) may also be applied when the above exemption is used to protect the safety of individuals, or if subsection 12(1) (Right of access) should also be applied to information that clearly falls outside the scope of being classified as personal information.

    10.5.4.1 Consultation on paragraph 22(1)(c)

    It is not mandatory to consult the federal institution most concerned before deciding whether to disclose or exempt personal information under this section. However, if an institution is considering disclosure, it is strongly recommended to consult with Correctional Service Canada, especially when the institution does not normally treat personal information that falls under this exemption. This institution can assist in providing rationales as to why some information may in fact be highly sensitive, such as how information can facilitate an escape or potentially be injurious to staff and inmates.

    10.5.5 Subsection 22(2): policing services for provinces or municipalities

    For reference purposes only. This exemption would only be used for information that was created before corresponding provincial legislation was passed. Consider the use of subsection 22(1) for information obtained or prepared by the RCMP.

    Subsection 22(2) of the Act provides that a government institution shall refuse to disclose any personal information that was obtained or prepared by the RCMP while performing policing services for a province or a municipality pursuant to an arrangement made under section 20 of the Royal Canadian Mounted Police Act, where the Government of Canada has, on the request of the province or municipality, agreed not to disclose the information.

    This is a mandatory class exemption that protects information obtained or prepared, meaning it must have been acquired for use by the RCMP when performing its provincial or municipal policing role. In order for the exemption to be invoked, it is necessary that (1) the province or municipality request that the exemption be applied, and (2) the federal government agree to the request.

    10.5.6 Subsection 22(3): definition of “investigation”

    Subsection 22(3) of the Act states that for purposes of paragraph 22(1)(b) “investigation” means an investigation that:

    • (a) pertains to the administration or enforcement of an Act of Parliament;
    • (b) is authorized by or pursuant to an Act of Parliament; or
    • (c) is within a class of investigation specified in the regulations.

    This definition limits the types of investigations for which the exemptions in paragraphs 22(1)(b) can be claimed to those specifically authorized by federal law or undertaken for the purposes of administering or enforcing federal law. The following are examples, of the types of investigations described in paragraph 22(1)(b):

    • 22(3)(a): investigation by the Parole Board of Canada to determine whether an individual should be granted a pardon under the Criminal Records Act
    • 22(3)(b): investigation of an appointment conducted by the Public Service Commission of Canada
    • 22(3)(a) and (b): investigation by safety officers under Part II of the Canada Labour Code

    Residual classes of investigations are provided for in paragraph 22(3)(c). Section 12 of the Privacy Regulations specifies that they are the classes of investigations listed in Schedule V of the Regulations. An example is an investigation for the purpose of reviewing or updating a security clearance referred to in paragraph 23(a) or (b) of the Act that was granted to an individual.

    In the decision Sherman v. Canada (Minister of National Revenue), 2004 FC 1423, reviewed on other grounds in 2005 FCA 375, the Federal Court stated that “investigation” should be read in its ordinary sense to mean “the action of investigating; the making of a search or inquiry; systematic examination, careful or minute search,” undertaken with some guiding principle or aim in mind. In Canada (Minister of Public Safety and Emergency Preparedness) v. Maydak, 2005 FCA 186, it was further emphasized that regardless of the value, or lack thereof, of the information, what is key is that it was obtained through the act of investigating.

    Furthermore, as discussed in 10.5.3, an investigation can have already taken place, be current, or refer to the future. Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, [2002] 2 S.C.R. 773, explained that “there is nothing in s. 22(1)(b) that should be interpreted as restricting the scope of the word ‘investigation’ to investigations that are underway or are about to commence, or limiting the general meaning of that word to specific investigations.” The exemption looks to protect when disclosure could reasonably be expected to be injurious to the conduct of investigations and could not practically be limited to only the present.

    Finally, in the decision 3412229 Canada Inc. v. Canada (Revenue Agency), 2020 FC 1156, the Federal Court concluded that the term investigation encompassed tax audits. The information “consists of either audit techniques used by the CRA to identify or guide its auditors in applying s. 94.1 of the ITA [Income Tax Act] or a risk assessment tool used to evaluate and manage the risks of an ongoing audit.” The information fell into the two categories identified in 16(1)(c) of the ATIA (which is identical to paragraph 22(1)(b) of the Act).

    10.6 Section 22.1: Information obtained by the Privacy Commissioner

    10.6.1 Exemption of personal information related to information obtained by the Privacy Commissioner

    Section 22.1 of the Act is a mandatory class exemption, intended to protect personal information obtained or created by the Privacy Commissioner or on their behalf. This collection or creation must occur in the course of an investigation conducted by, or under the authority of, the Commissioner. Alternatively, personal information could be obtained by the Commissioner during a consultation with the Information Commissioner under subsection 36(1.1) or section 36.2 of the ATIA.

    Only the Office of the Privacy Commissioner (OPC) may claim this exemption. Other government institutions cannot invoke section 22.1. However, another exemption may be applicable to the personal information requested.

    Section 22.1 recognizes that it is inappropriate for the Privacy Commissioner to disclose personal information that was obtained from institutions under investigation. The provision also protects personal information created by or on behalf of the Privacy Commissioner during investigations or consultations with the Information Commissioner to prevent interference with the Commissioner’s statutory duties, powers and functions.

    Personal information “obtained” during the investigation is acquired because the Commissioner had a need to do so based on their mandate. It comprises all personal information forwarded by the institution for the purposes of the investigation, including copies of the personal information relevant to the request that was processed and administrative documents created or obtained by the institution during the request’s processing. Copies of personal information can also include personal information from outside government (for example, from the public) sent to the OPC during the investigation (for example, testimonies, records and emails). It also includes the consultations that take place with the Information Commissioner under subsection 36(1.1) or section 36.2 of the ATIA.

    Personal information obtained by or on behalf of the Privacy Commissioner in the course of an investigation or consultation with the Information Commissioner continues to be protected pursuant to subsection 22.1(1), even after all proceedings related to the investigation have been concluded.

    In Carter v. Canada (Privacy Commissioner), 2019 FC 783, the Court upheld that certain redacted portions in response to the request fell within the scope of subsection 22.1(1), as the information was obtained from the National Defence, and as a result the OPC was not permitted to disclose it.

    10.6.2 Limitation on exemption

    There is an important distinction to be made between “personal information obtained” and “personal information created” during the Commissioner’s investigations. Subsection 22.1(2) imposes a limitation for the protection of personal information created by or on behalf of the Privacy Commissioner. These may include the notes of the investigators or documents from experts performing work on behalf of the Commissioner, internal email, investigation reports, notes to file and letters of findings.

    As a result, subsection 22.1(1) can no longer be applied to personal information created by or on behalf of the Privacy Commissioner once the investigation and all related proceedings, if any, are concluded. The term “related proceedings” normally refers to reviews by the Federal Court of Canada, the Federal Court of Appeal and the Supreme Court of Canada.

    This does not mean that personal information covered by subsection 22.1(1) must automatically be disclosed by the OPC pursuant to a request under the Act once all proceedings are concluded. Rather, such personal information automatically falls outside the class test protection of subsection 22.1(1). If there are still grounds to protect them, other exemptions contained in the Act would continue to apply to all or parts of the personal information.

    10.7 Section 22.2: Public Sector Integrity Commissioner

    10.7.1 Exemption of personal information related to information obtained by the Public Sector Integrity Commissioner

    Section 22.2 of the Act is a mandatory class exemption that can be used only by the Public Sector Integrity Commissioner (Integrity Commissioner). It requires the Integrity Commissioner to refuse to disclose any personal information obtained or created by them or on their behalf in the course of:

    • an investigation into a disclosure of wrongdoing made by a public servant under the Public Servants Disclosure Protection Act (PSDPA); or
    • an investigation initiated by the Integrity Commissioner under section 33 of the PSDPA as a result of information:
      • obtained in the course of another investigation of alleged wrongdoing; or
      • provided by a person who is not a public servant.

    For information to be “obtained or created,” it must be acquired or authored by the Integrity Commissioner or on their behalf because they had a need to do so based on their mandate. This includes personal information provided by the public servant making the disclosure, the person accused of wrongdoing, and a person who has met the conditions set out under section 33 of the PSDPA. This exception is meant to ensure that public servants and all persons involved in a disclosure process feel protected in reporting possible wrongdoing. They offer broad protection for personal information obtained and created in relation to a disclosure or a disclosure investigation, including the identity of the discloser and witnesses.

    Unlike paragraph 16.4(1)(b) of the ATIA, section 22.2 of the Privacy Act does not include a requirement to exempt information received by a conciliator in the course of attempting to achieve the settlement of a reprisal complaint filed under subsection 19.1(1) of the PSDPA. Therefore, such information may be disclosed in response to a request made under the Privacy Act unless another exemption applies.

    Because section 22.2 is a mandatory exemption, it must be applied to all personal information that falls within the class of records. The Integrity Commissioner must invoke the exemption even in cases where the personal information was previously disclosed during the investigative process, reported publicly under the PSDPA, published in the Integrity Commissioner’s reports to Parliament, or otherwise disclosed.

    There is no time limit respecting the application of section 22.2, and the exemption applies even after the completion of the investigation.

    Subject to sections 52 and 53 of the PSDPA, the public sector does not include the following: the Canadian Armed Forces, the Communications Security Establishment or the Canadian Security Intelligence Service. The PSDPA also does not apply to elected officials or their staff or employees of the House of Commons and the Senate.

    10.8 Section 22.3: Public Servants Disclosure Protection Act (PSDPA)

    10.8.1 Exemption of personal information related to information created for disclosure under the PSDPA

    Section 22.3 of the Act is a mandatory class exemption that must be invoked by all government institutions. It requires the head of a government institution to refuse to disclose personal information created for the purpose of making a disclosure under the PSDPA or in the course of an investigation into a disclosure under the PSDPA. Section 22.3 of the Act is meant to ensure that public servants and all persons involved in a disclosure process feel protected in reporting possible wrongdoing. They offer broad protection for personal information created in relation to a disclosure or a disclosure investigation, including the identity of the discloser and witnesses.

    For this exemption to apply, the following five conditions must be met:

    1. A disclosure of wrongdoing was made or was considered. The PSDPA defines “protected disclosure” as a disclosure that is made in good faith by a public servant:
      • in accordance with the PSDPA;
      • in the course of a parliamentary proceeding;
      • in the course of a procedure established under any other Act of Parliament; or
      • when lawfully required to do so.
    2. The disclosure was made or is being prepared by a public servant. “Public servant” is defined in the PSDPA as every person employed in the public sector, every member of the RCMP and every chief executive.
    3. The alleged wrongdoing is in or relates to the public sector. “Public sector” is defined as the departments and bodies named in Schedules I to V of the Financial Administration Act and the Crown corporations and the other public bodies listed in Schedule 1 of the PSPDA. Subject to sections 52 and 53 of the PSDPA, the public sector, for the purposes of administering that Act, does not include the following: the Canadian Armed Forces, the Communications Security Establishment or the Canadian Security Intelligence Service. The PSDPA does not apply to elected officials or their staff or employees of the House of Commons and the Senate.
    4. The alleged wrongdoing relates to one of the following wrongdoings in or in relation to the public sector, as defined in section 8 of the PSDPA:
      • (a) a contravention of any Act of Parliament or of the legislature of a province, or of any regulations made under any such Act, other than a contravention of section 19 of the PSDPA;
      • (b) a misuse of public funds or a public asset;
      • (c) a gross mismanagement in the public sector;
      • (d) an act or omission that creates a substantial and specific danger to the life, health or safety of persons, or to the environment, other than a danger that is inherent in the performance of the duties or functions of a public servant;
      • (e) a serious breach of a code of conduct established under section 5 or 6 of the PSDPA; and
      • (f) knowingly directing or counselling a person to commit a wrongdoing set out in any of paragraphs (a) to (e).
    5. The information was created for the purpose of making the disclosure or in the course of an investigation into a disclosure.

    As mentioned above, the exemption must be claimed by all government institutions if the conditions described in the provision are met. Although the Canadian Forces, the Canadian Security Intelligence Service and the Communications Security Establishment are not subject to the PSPDA, they must invoke section 22.3 to exempt personal information obtained from other government institutions that was created for the purpose of making a disclosure under the PSDPA or in the course of an investigation into a disclosure under the PSDPA.

    Information that falls under section 22.3 is permanently protected and cannot be released in response to a request for access to personal information. In such circumstances, institutions must exempt all personal information related to a disclosure of alleged wrongdoing or an investigation made under the PSDPA, even in cases where the information was previously disclosed during the investigation process, reported publicly by the chief executive of the institution under paragraph 11(1)(c) of the PSDPA, published in the Integrity Commissioner’s reports to Parliament, or otherwise disclosed.

    It should be noted that information relating to reprisal complaints filed under subsection 19.1(1) of the PSDPA is not covered by this exemption and can be released by institutions unless other exemptions apply.

    There is no time limit or other constraint restricting the application of section 22.3.

    10.8.2 Relationship with paragraph (g) of the definition of “personal information”

    Pursuant to paragraph (g) of the definition of “personal information” found in section 3 of the Act, “views or opinions of another individual about the individual” who is making the request, including allegations made about the individual, are considered to be the personal information of that individual. In most cases, such information would be released to the individual on request, subject to the exemption and exclusion provisions of the Privacy Act.

    Nevertheless, when such views or opinions form part of a disclosure of alleged wrongdoing or an investigation of a disclosure of alleged wrongdoing under section 33 of the PSDPA, all information related to the allegations, the disclosure of the alleged wrongdoing and the related investigation must be exempted in response to a request from the individual under the Privacy Act.

    As mentioned in the previous section, this protection does not apply to information relating to reprisal complaints filed under subsection 19.1(1) of the PSDPA.

    10.9 Section 22.4: Secretariat of National Security and Intelligence Committee of Parliamentarians

    10.9.1 Exemption of personal information related to information obtained by the Secretariat of National Security and Intelligence Committee of Parliamentarians

    Section 22.4 of the Act is a mandatory class exemption that is intended to protect personal information obtained or created by the Secretariat of the National Security and Intelligence Committee of Parliamentarians (the Secretariat), or on their behalf in the course of assisting the National Security and Intelligence Committee of Parliamentarians (the Committee) in fulfilling its mandate.

    This section states that the Secretariat shall refuse to disclose personal information that was obtained from institutions under review. The provision also protects personal information created by or on behalf of the Secretariat or the Committee as part of reviews to prevent interference with the Committee’s statutory duties, powers and functions.

    There is no time limit respecting the application of section 22.4, and the exemption applies even after the completion of the investigation. Even information created after the conclusion of a review is covered by this exemption.

    Only the Secretariat or the Committee may claim this exemption. Other government institutions cannot invoke section 22.4. However, another exemption may be applicable to the personal information requested.

    10.10 Section 23: Security clearances

    10.10.1 Exemption of personal information related to information obtained for security clearances

    Section 23 of the Act is a discretionary exemption that contains a class test and consideration of whether disclosure could reveal the source of the information.

    This section provides that a government institution may refuse to disclose any personal information that was obtained or prepared by an investigative body specified in Schedule IV of the Regulations for the purpose of determining whether to grant security clearances, if disclosure of the information could reasonably be expected to reveal the identity of the individual who furnished the information to the body. “Obtained or prepared” means that the personal information must have been acquired for use by the investigative body. “Furnished” means that the individual “gave” the information to the body. As per paragraphs (a) and (b) of section 23, it applies to security clearances that are:

    • required by the Government of Canada or a government institution for:
      • individuals employed by the government or an institution;
      • individuals performing services for the government or an institution;
      • individuals employed by or performing services for a person or body performing services for the government or an institution; or
      • individuals seeking to be employed or seeking to perform services for the government or an institution; or
    • required by the government of a province or a foreign state or an institution thereof.

    The Privacy Regulations contain a list of investigative bodies to which section 23 of the Act applies. The inclusion of these specific bodies is intended to protect sources of information within the security clearance process of the Government of Canada, particularly when the information provided relates to subversive or hostile activities or organized crime.

    Paragraphs (a) and (b) of section 23 of the Act represent the class test components of this discretionary exemption. If the requested personal information falls within any of these classes, the class test is satisfied.

    The consideration of whether disclosure could reveal the source of the information applies to both the identity of the individual who furnished the information to the investigative body and the investigative body’s methods or other sources of information. The applicable threshold is that there must be a reasonable expectation of being able to identify the source.

    After a thorough analysis of these considerations, an institution should then exercise its discretion in releasing the information in question. This second stage of analysis should involve weighing the relevant public and private interests that would be affected by the information being disclosed.

    This exemption was considered in Dolan v. Canada (1993), 64 FTR 284,Footnote 4 where the Federal Court concluded that the protection afforded by section 23 applies to personal information collected about an individual who was seeking employment in a government institution, even if the individual had not yet been made a conditional offer of employment prior to the collection.

    Institutions may consider if paragraph 22(1)(b) (Law enforcement and investigations) of the Act (subsection 10.5.3) may also be applied to information that may not fit into the class of granting a security clearance, but is incidentally collected during this investigative process. Section 26 (Information about another individual) of the Act (subsection 10.13) may also be applied where information about other individuals is interwoven within the request.

    10.10.2 Consultation

    Although it is no longer mandatory to consult the federal institution most concerned before deciding whether to disclose or exempt information under section 23, institutions may wish to consider consulting if they require additional information to demonstrate a reasonable expectation of probable harm if releasing the information. For example, the institution may need more information from the investigative body as to how the information found in the request would allow identification of the source and if that identification would likely cause injury to the source.

    10.11 Section 24: Individuals sentenced for an offence

    10.11.1 Exemption of personal information related to individuals sentenced for an offence

    Section 24 of the Act provides that a government institution may refuse to disclose any personal information that was collected or obtained by Correctional Service Canada or the Parole Board of Canada while the individual was under sentence for an offence against any Act of Parliament if disclosure could reasonably be expected to:

    • (a) lead to a serious disruption of the individual’s institutional, parole or statutory release program; or
    • (b) reveal information about the individual originally obtained on a promise of confidentiality, express or implied.

    Like section 23 of the Act, paragraphs 24(a) and 24(b) are discretionary exemptions based on both a class test and a further consideration of whether disclosure could disrupt their release program or reveal the source of confidentially obtained information.

    The first stage of analysis involves a class test. As part of this test, institutions must examine whether the requested personal information was collected or obtained by Correctional Service Canada or the Parole Board of Canada while the individual who made the request was under a sentence for an offence violating an Act of Parliament. This factor must be present for the exemption to apply.

    If the class test is satisfied, institutions can then consider the second stage of analysis. Institutions must examine whether disclosure would lead to a serious disruption of the individual’s institutional, parole or statutory release program, or reveal information about the individual originally obtained on a promise of express or implied confidentiality. An example may be if an individual made a personal information request for records from the Parole Board of Canada in advance of a hearing. Some of the information contained within their file could be interpreted to suggest that parole would not be granted and may cause distress to the individual while still incarcerated or it give information as to who might have provided testimony against them.

    Paragraph 24(a) may still apply after the individual has been released from federal prison if the individual making the request is still incarcerated or remains under a parole or a mandatory supervision program. Meanwhile, the consideration of whether disclosure could reveal information obtained on a promise of confidentiality set out in paragraph 24(b) may continue to exist after the individual making the request has served their full sentence.

    The Federal Court of Canada examined the exemption in section 24 in Longaphy v. Canada (Solicitor General), [1992] F.C.J. No. 302, [1992] A.C.F. No. 302, 53 F.T.R. 147, 6 Admin. L.R. (2d) 54.Footnote 5 In that decision, the Court agreed that an implicit promise of confidentiality could be sufficient to claim paragraph 24(b) because an inmate suspected of providing information about another inmate to the staff of the penitentiary may be subject to severe reprisals or even death by other inmates.

    Institutions must still exercise their discretion regarding whether to release the information in question. Given the sensitivity of the personal information that falls under section 24, it is recommended that government institutions consult Correctional Service Canada or the Parole Board of Canada if information is considered for release.

    Institutions may consider if subparagraph 22(1)(b)(ii) (Law enforcement and investigations) (subsection 10.5.3) and section 26 (Information about another individual) of the Act (subsection 10.13) may also be applied when the above exemption is used to protect the name of another individual other than the requester. Alternatively, 22(1)(b)(iii) (subsection 10.5.3) and 22(1)(c) (subsection 10.5.4) may be considered for information relating to investigations or the security of penal institutions.

    10.12 Section 25: Safety of individuals

    10.12.1 Exemption of personal information related safety of individuals

    Section 25 of the Act is a discretionary exemption based on an injury test. A government institution may refuse access to the requested personal information if the disclosure could reasonably be expected to threaten the safety of one or more individuals.

    The phrase “threaten the safety of individuals” in section 25 is not defined in the Act and has not yet received judicial interpretation. Therefore, the terms are given their ordinary dictionary meaning:

    • “threaten,” in the context of section 25, means to expose to risk or harm; to be a menace or source of danger
    • “safety” means freedom from danger or hazard; exemption from hurt, injury or loss
    • “individual” means a human being

    The types of individual safety interests that could be threatened are relatively broad, covering an individual’s life, bodily integrity and psychological health.

    Psychological injury is more than the causing of distress. It implies that disclosure might lead to or exacerbate an existing mental illness or psychological disorder or cause a person to become suicidal. For example, the disclosure of police photographs of a gruesome murder scene may threaten the mental health of the deceased’s spouse who is already suffering from depression, even if the murder happened more than 20 years ago.

    Depending on the nature of the information requested, the fact that the person making the request suffers from a mental illness, such as post-traumatic stress disorder or depression, may have an impact on the assessment of risk to the safety of that individual. If the person requests access to their medical records, section 28 (subsection 10.16) may be applicable.

    10.12.2 Application

    This exemption applies to any cases where there have been, or there appear to be, threats to an individual’s safety. Depending on the context, examples may include the following:

    • names and other information identifying government employees or officers associated with dangerous or highly controversial issues, such as organized crime, money laundering, gun control, child support obligations, garnishments, abortion, and animal testing or laboratory work
    • information supplied by or about informers in criminal, quasi-criminal and security areas
    • information about persons who provided information about prisoners
    • information about persons who may have witnessed an event or incident that is under further investigation
    • the identity of individuals that may be deployed in a location where it is already known that their safety is at risk and the release of the information would exacerbate that risk
    • the identity of an individual who provided information to the Government of Canada about the activities of a country that has a repressive regime
    • testimony of co-workers concerning an individual who has been harassing and threatening them with harm
    • information concerning the dismissal of the person making the request, such as the testimony of previous co-workers, where the requester has threatened or assaulted previous co-workers in the past

    The type of information protected under this exemption covers not only the name of the individual but any identifier or other kind of information that is likely, by its release, either by itself or by a “mosaic effect,” to threaten the safety of individuals. This could be information that either directly or indirectly reveals the identity, home address or other identifier of such an individual. This could also be information that would facilitate placing an individual in danger or to hazards. Consideration should be given for information about employees of a government institution, as this exemption could cover information that is not normally protected information, such as the name of the individual’s employer, place of employment, address of employment, or job title or their work and travel schedules and might otherwise customarily be released in ATIP requests. Consideration should be made especially for groups involved in controversial or dangerous work or environments where a risk to safety is already heightened. The exemption may also apply to publicly available information that can be matched with other data to reveal information that is likely, as described above, to threaten the safety of an individual, such as the time and place of meetings.

    10.12.3 The applicable injury test

    The injury test to be met in section 25 is one of “reasonable expectation of probable harm.” The expectation of injury has to be more than speculative, and institutions must demonstrate that there is a reasonable basis for believing that disclosing the information will endanger an individual’s safety.

    The injury test might be satisfied with at least some evidence demonstrating that the likelihood is considerably more than mere speculation but somewhat less than “more likely than not” and that the safety of individuals is or will be threatened by the disclosure. This can be based upon incidents where aggressive behaviour was directed at a specific person or persons, the nature of an individual’s employment, or details of actual threats.

    Institutions may consider if section 26 (Information about another individual) of the Act (subsection 10.13) may also be applied where information about other individuals is interwoven within the request, and alternatively information may be denied access to under subsection 12(1) (Right of access) if the information does not belong to the requester.

    Paragraph 22(1)(b) (Law enforcement and investigations) of the Act (subsection 10.5.3) may also be considered if the requested information would reveal the identity of a confidential source of information and the release of the information may dually reasonably be expected to threaten the safety of one or more individuals and injurious to the conduct of a lawful investigation.

    Paragraph 24(1)(b) (Individuals sentenced for an offence) of the Act (subsection 10.11) may also be considered if the requested information may reveal information about another individual originally obtained on a promise of confidentiality, express or implied.

    10.12.4 Consultation

    Before disclosing information supplied by another institution that could affect the safety of individuals, government institutions should consult with the supplying institution to ensure that the disclosure will not endanger the safety of the individuals involved.

    10.13 Section 26: Information about another individual

    10.13.1 Exemption of personal information related to information about another individual

    Section 26 of the Act provides that a government institution may refuse to disclose any personal information about an individual other than the requester. It also provides that a government institution must refuse to disclose such information where the disclosure is prohibited under section 8 of the Act.

    Section 26 embodies the principle under the Act that an individual has a right of access only to information about themself. However, there are many scenarios where that individual’s personal information is entwined inseparably with information about another individual (for example, information about spouses or partners in an immigration file, custody disputes, labour relations issues, views and opinions of another person). When this occurs, access to the personal information must be refused where the disclosure is not permitted under section 8 of the Act because the information about another individual is also personal information.

    10.13.2 Application

    The application of section 26 of the Act requires three steps:

    1. Establish that the information falls within the definition of personal information found in section 3 of the Act that is related to both the requester and the other individual. Chapter 3 of this manual [pending] provides extensive information on the definition of personal information.

    The application of section 26 is relatively straightforward for many of the paragraphs in section 3. More thorough analysis will likely be required for the classes of personal information defined in the following paragraphs:

    • (e) the personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations,
    • (f) correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence,
    • (g) the views or opinions of another individual about the individual, and
    • (i) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual.

    In Canada (Information Commissioner) v. Canada (Minister of Citizenship and Immigration), 2002 FCA 270, known as the Pirie case, it was determined that the information in question was both the personal information of Mr. Pirie and the interviewees. After balancing the private interests of the interviewees, the private interests of Mr. Pirie and the public interest in disclosure and non-disclosure, the Court determined that Mr. Pirie’s interest in the information should prevail. Therefore, the names of the interviewees and the views and opinions they expressed about him were disclosed.

    2. Ensure that paragraphs 3(j), (j.1), (k), (l) and (m) of the definition of personal information do not apply and thus permit the disclosure of the personal information about the requester and the other individual involved.

    The exclusions should be interpreted narrowly. For example, a public servant’s name and title would customarily fall into the exclusion, but if their name and title are included as part of a list of successful candidates in a current staffing process, the information would now fit the definition set out in 3(i) and would be withheld under section 26. In Terry v. Canada (Minister of National Defence), [1994] T-845-94,Footnote 6 the Court relied upon the expressio unius est exclusio alterius (“the expression of one thing is the exclusion of the other”) rule of interpretation, which enunciates that in order to fall within that exception, the information requested must fall squarely within the 3(j) exception.

    For more information on the interplay between 3(i) and 3(j), please refer to Dagg v. Canada (Minister of Finance),[1997] 2 S.C.R. 403.

    Please also refer to Privacy Implementation Notice 2020-02: Definition of Personal Information – Ministerial Staff to assist in the application of 3(j.1).

    3. Exercise discretion as to whether the information may nonetheless be disclosed because:

    • The individuals involved have given their respective consent to the disclosure of their personal information;
    • The personal information about the requester and the other individual involved is publicly available; or
    • The personal information about the requester and the other individual can be disclosed pursuant to subsection 8(2) of the Act.

    The exercise of discretion is discussed below in 10.13.3

    10.13.3 Discretion to disclose

    Institutions may choose to exercise discretion to prevent nonsensical situations where an institution would be exempting information already known to a requester.

    An example of this could be when non-sensitive, factual information about another individual that has either been supplied by the requester or is known to them (for example, family members’ addresses that appear on a security clearance form) and where releasing it would not reveal additional personal information about the other individual. Institutions should also be cognizant of their obligation to ensure the accuracy and currency of the personal information under subsection 6(2) of the Act. All such disclosures should, however, be made cautiously. The decisions in favour of disclosure should be documented in the processing file and would normally follow internal procedures where it is determined by the institution that this is an acceptable approach when processing personal information requests. Where the possibility of an invasion of privacy exists, institutions must exempt the information.

    Disclosure of personal information about an individual other than the requester is permitted if:

    • (a) the other individual gives their consent to the disclosure (subsection 8(1)); or
    • (b) the information is publicly available (subsection 69(2)); or
    • (c) the disclosure is authorized under subsection 8(2) of the Act and, according to section 26 of the Act, the head has considered the applicability of subparagraphs 8(2)(m)(i) and 8(2)(m)(ii).
    a) Disclosure under subsection 8(1): Consent

    An institution may disclose the personal information of another individual to the requester when the other individual has consented to the disclosure. Consent is to be provided in writing and documented in the ATIP processing file. Institutions should ensure that the individual providing their consent is aware of the personal information involved and to whom the information will be provided. In other words, the individual should be aware of exactly what personal information about themself will be disclosed and to whom by virtue of their consent. Any consent obtained would apply only to records being processed for a particular file and not to future requests. The Consent for a Personal Information Request Form was developed to enable an individual to proactively provide consent to the release of their information to a requester. However, it could be used to document consent at any point in the processing of a request.

    In Layoun v. Canada, 2014 FC 1041, the Federal Court examined 19(2) of the Act, which is another discretionary provision within the Act based on consent. It stated that seeking consent is subject to practical considerations, and it recommended that government institutions may develop internal procedures to follow when considering if and when consent should be sought. The Court outlined the procedures that must respect the nature of the Act. The onus is only to make “reasonable efforts” to seek consent. There must be consideration for the fact that a personal information request is in and of itself personal information. There may be circumstances where seeking consent would reveal information about the personal information request itself and the institution. There may also be circumstances where, in conjunction with other applicable exemptions, seeking consent may harm the particular public or private interest for which the exemption exists to protect.

    When developing internal procedures, the following scenarios can form part of the considerations for or against seeking consent:

    • if the information that was collected was routine in nature or is required by law to access a benefit or service
    • if the request pertains to a topic of a sensitive nature that would customarily be kept private or confidential
    • if there was a promise of confidentiality when the information was supplied by any or all individuals involved
    • if the information was collected as part of an investigation, or if there are administrative or legal consequences in the context of the requested material
    b) Disclosure under subsection 69(2): Publicly available

    Subsection 69(2) provides that sections 7 and 8 of the Act, which set parameters for the use and disclosure of personal information, do not apply to personal information that is publicly available. Although sections 7 and 8 do not apply when personal information is publicly available, all other provisions, such as sections 4 and 5 (collections) and 12 (right of access), continue to apply. Institutions should consider if it is the requested information or information found within the request that is publicly available as part of this discretionary exercise.

    Further consideration should be made as to both how the information was released to the public and the extent of the information released. Section 11.1 of this manual provides information on the meaning of the expression “publicly available.”

    c) Disclosure under subsection 8(2)

    Subsection 8(2) of the Act enumerates several circumstances where personal information may be disclosed without consent.

    As disclosure under paragraph 8(2)(m) and notice of disclosure under subsection 8(5) must be reported in all institutions’ annual reports, additional information on these provisions is included below. Note that 8(2)(e) disclosures must also be reported in the annual report but are less likely to be employed in personal information request processing.

    Paragraph 8(2)(m)

    This paragraph provides that personal information may be disclosed for any purpose where, in the opinion of the head of an institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or the disclosure would clearly benefit the individual to whom the information relates.

    This provision is designed to deal with disclosure of personal information in situations that either cannot be readily foreseen or that are so specialized that they cannot be suitably covered in specific terms elsewhere in subsection 8(2). This provision does not imply any right of access to personal information; rather, it only permits disclosure at the discretion of the head of the institution where the appropriate conditions are met. Furthermore, the provision is only a supplement to, and not a replacement for, paragraphs (a) to (l) of subsection 8(2). In any case, this paragraph must be used with a good deal of restraint. Information should only be disclosed under this provision when it is apparent that there is a clear public interest in disclosure that outweighs the invasion of privacy or that would clearly benefit the individual, but no other release category under subsection 8(2) is applicable.

    Subsection 8(5) requires that the Privacy Commissioner be informed of disclosures made under this provision. The Privacy Commissioner may, subject to the requirement not to disclose information for which an exemption has been claimed, decide to notify the individual concerned, or to initiate a complaint under subsections 29(1) and 29(3) or an investigation under section 37 of the Act.

    Subparagraph 8(2)(m)(i)

    The decision whether or not to disclose information under this subparagraph must balance the public interest in disclosure against the threat to an individual’s privacy. This balancing should be based on an invasion-of-privacy test, which weighs the expectations of the individual, the nature of the particular personal information involved, and the possible consequences of disclosure for the individual against the public interest in disclosure. This last item may be assessed in terms of the benefit to only the requester or to the public as a whole. There is no easy guide by which to determine whether or not a specific disclosure is in the public interest. The criteria must cover unique, one-time cases, as well as similar, recurring releases affecting a number of individuals. Beyond the request regime there are obvious emergency situations where the circumstances are urgent and unambiguous, the public interest in disclosure is clear and the threat to privacy is very slight. There are situations, too, where either because of the type of information involved or the passage of time, there is little, if any, threat to an individual’s privacy. In most situations, however, the public interest in disclosure is less immediately apparent. The invasion-of-privacy test is then more crucial in deciding exactly which types of information may be released.

    There are three interrelated factors that should be taken into account in any invasion-of-privacy test.

    They are:

    1. Expectations of the individual: The conditions that governed the collection of the personal information and the expectations of the individual to whom it relates are important criteria in any test. Was the information compiled or obtained under guarantees that preclude some or all types of disclosures? Or, on the other hand, can the information be considered to have been unsolicited or given freely or voluntarily with little expectation of it being maintained in total confidence? Has the individual themself made a version of the information generally available to the public and diminished its private nature in these circumstances? Alternatively, would the individual acknowledge that some of their information is already known to the person or persons it would be disclosed to?
    2. Sensitivity of the information: It should be determined what type of information is involved in the request for a public interest disclosure. Is it obviously of a highly sensitive personal nature or does it appear to be fairly innocuous information? For example, releasing a name may appear to be benign, but contextually might be very sensitive. Is the information very current and for that reason more sensitive, or has the passage of time possibly reduced that sensitivity so that disclosure under specific circumstances would lead to no measurable injury to the individual’s privacy? On the other hand, could disclosure of the information, even after a passage of time, continue to cause harm to the individual?
    3. Probability of injury: If the information is considered sensitive, can it be surmised that the particular disclosure carries with it the probability of causing measurable injury? Injury should be interpreted as any harm or embarrassment that will have direct negative effects on an individual’s career, reputation, financial position, safety, health or well-being. As well, the head of an institution must consider if a disclosure of personal information will make that information available for a decision-making process by a government institution beyond that for which it is being disclosed.

    Institutions may also have other factors unique to their own situations that should be added to an invasion-of-privacy test. For this reason, institutions are encouraged to develop guidelines on the application of the invasion-of-privacy test within their institution.

    It is important to remember that public curiosity does not equate with public interest. The public interest to be balanced against the possible invasion of privacy can be evaluated on the basis of whether it is specific, current and probable (similar to the injury test described in Chapter 9). Where there is a possible invasion of privacy balanced against a public interest, consideration may be given to who would be receiving the information and whether any controls can be placed on further use or release.

    Examples of situations in which there could be a public interest that outweighs the potential invasion of privacy in disclosure as outlined in subparagraph 8(2)(m)(i) include:

    • (i) health or medical emergencies, accidents, natural disasters or hostile or terrorist acts where one or more individual’s lives and well-being depend on disclosure;
    • (ii) disclosure of information to carry out an order of the court (for example, enforcement of a custody order); and
    • (iii) disclosure of information to either substantiate or correct a statement made publicly by the individual concerned. In these circumstances the individual would first have made public the information being substantiated or corrected.

    Application to individuals who are deceased

    Subparagraph 8(2)(m)(i) may be considered in relation to a request for disclosure of information relating to an individual who has been dead less than 20 years. Often there is a diminution of privacy concerns with the passage of time and such information can be disclosed. The head of the institution should weigh the sensitivity of the information against the public interest in disclosure to determine if an unwarranted invasion of privacy would occur if the information was released. Important factors to consider are:

    1. whether disclosure may cause financial injury to the immediate family of the deceased
    2. whether disclosure may endanger the physical well-being of any of the family of the deceased
    3. whether the head of the institution has any reason to believe that an immediate family member or ex-spouse does not want the information released
    4. whether the information contains medical, psychological or social work case reports or data that it is reasonable to believe would prove harmful to familial relationships
    5. whether the deceased had expressed or implied any wishes with regard to the information
    6. whether disclosure may harm the reputation of the deceased (who cannot defend themself)
    Subparagraph 8(2)(m)(ii)

    This provision gives discretion to the head of an institution to ensure that personal information is not withheld from disclosure where the individual could clearly benefit from its release. The institution may consider, as part of a discretionary exercise, the balance between the public interest in disclosure if it would benefit the individual against the privacy of the third party to which the personal information relates. Note that the term “benefit” may assist the individual, but the information disclosed may be distressing in nature. Some examples of situations where personal information may be released on the grounds of “benefit to the individual” are:

    • disclosure of information to assist in determining the owner of lost or stolen property
    • notification of next of kin in the case of an accident or disaster
    • disclosure of information about an individual to immediate family members or an authorized representative of the individual such as a lawyer, under compassionate circumstances (for example, information as to whether or not an individual has been arrested in another country)
    Subsection 8(5): Notice of disclosure under paragraph 8(2)(m)

    Subsection 8(5) of the Privacy Act provides that the head of a government institution must notify the Privacy Commissioner of any disclosure of personal information under paragraph 8(2)(m) either prior to the disclosure or, if this is not practicable, at the time of disclosure. This provision provides an additional level of oversight as these disclosures are on a case-by-case basis. The Privacy Commissioner has discretion to notify the individual to whom the information relates of the disclosure if they deem such notification to be appropriate. The Privacy Commissioner may also express an opinion about the disclosure and may make recommendations to the institution.

    Notification of an individual by the Privacy Commissioner is, however, subject to the requirements of section 65 of the Privacy Act. This provision places the Privacy Commissioner under a duty not to disclose any information that is exempt under either the Access to Information Act or Privacy Act or any information that could confirm the existence of personal information where the head of a government institution, in refusing to disclose the information to the subject individual, has not indicated whether it exists.

    The OPC has developed a central portal for all institutions to provide their notifications in a secure and efficient manner. The Public interest disclosure notification online submission portal is accessible to all institutions. By submitting notifications via the portal, institutions can be assured that they are providing all information that the OPC requires to assess the disclosure. The OPC may follow up with institutions who do not use the portal, when they need more information. Institutions should expect to provide the OPC with the following information:

    • the name(s) of the individual(s) involved
    • a description of what personal information elements were disclosed
    • to whom (be it an individual or government institution)
    • the purpose of the disclosure and a statement as to why the public interest overrides privacy concerns in this instance, or how the disclosure would clearly benefit the individual
    • the name and signature of the person authorizing the disclosure
    Delegation of 8(2)(m) authority

    It is recommended that the authority to disclose personal information under paragraph 8(2)(m) be either retained by the head of the institution or delegated only to the most senior officials of the institution.

    10.14 Section 27: Protected information – solicitors, advocates and notaries

    Section 27 of the Act is a discretionary exemption based on a class test that protects information subject to solicitor-client privilege or its equivalent civil law concept, the professional secrecy of advocates and notaries (subsection 10.14.1), and to litigation privilege (subsection 10.14.2). For simplicity, we will use the term “privileges” to describe all these concepts. This provision incorporates the protection that exists in common law and in Quebec’s civil law for information to which the solicitor-client privilege attaches. It ensures that communications between a government institution and its solicitors, including litigation-related communications, are protected to the same extent as they are in the private sector.

    10.14.1 The solicitor-client privilege

    The solicitor-client privilege, also known as the legal advice privilege, protects communications between a lawyer and a client from being disclosed without the permission of the client. The purpose of this privilege is to protect and promote the confidential relationship between a lawyer and a client by facilitating full and frank communication when seeking and providing legal advice.

    Legal requirements

    The courts have identified three criteria that must be satisfied in order for a communication to be covered by solicitor-client privilege (sometimes called legal advice privilege). The communication must:

    1. be between a lawyer and a client
    2. entail the seeking or giving of legal advice
    3. be intended to be kept confidential by the parties

    1. The communication must be between a lawyer and a client.

    For the purpose of section 27 of the Act, a lawyer is understood as:

    • the Department of Justice Canada’s legal counsel;
    • private sector law practitioners appointed as legal agents of the Minister of Justice and Attorney General of Canada;
    • those in the legal service units of government institutions who are not represented by the Department of Justice; or
    • private sector lawyers retained by a government institution (for example, a law firm retained by a Crown corporation to give a legal opinion).

    For most government institutions, the client is “the Crown.” For operational purposes, however, the client is understood as the individual government institution, as defined at section 3 of the Act, in receipt of the legal services, and it also includes its agents. However, the exemption does need to consider that the larger government interest in the privilege should be taken into account.

    2. The communication must entail the seeking or giving of legal advice.

    The solicitor-client privilege only applies to communications that, by nature, are related to the seeking or giving of legal advice. When communicating, the lawyer must be acting as a professionally qualified practising lawyer and not in some other capacity. The privilege does not protect advice falling outside of the lawyer’s legal responsibilities, such as political, administrative, managerial or general policy advice except where the latter is so inextricably intertwined with the legal advice that its disclosure would reveal the legal advice.

    It is not necessary that the communications specifically request or offer legal advice, as long as it can be placed within the continuum of communication in which the lawyer tenders advice. The concept of the continuum of communications is described as “all communications between a client and a legal advisor directly related to the seeking, formulating or giving of legal advice or legal assistance fall under the protection of solicitor-client privilege,” and was recognized by the Federal Court of Canada in the decision Canadian Jewish Congress v. Canada (Minister of Employment and Immigration), (T.D.), [1996] 1 F.C. 268. It was further examined in Canada (Office of the Information Commissioner) v. Canada (Prime Minister), 2019 FCA 95. For example, information provided by the client to their legal advisor for the purpose of receiving legal advice is also protected by this privilege.

    In Canada (Public Safety and Emergency Preparedness) v. Canada (Information Commissioner), 2013 FCA 104, the Federal Court of Appeal clarified, “In determining where the protected continuum ends, one good question is whether a communication forms ‘part of that necessary exchange of information of which the object is the giving of legal advice’[...]. If so, it is within the protected continuum.”

    3. The communication must be intended to be kept confidential by the parties.

    The Supreme Court of Canada has confirmed that communications between client and lawyer, including the information they shared, are presumed to be confidential in nature.Footnote 7 Also, as a general rule, the confidentiality of a communication will be lost if it has been disclosed, either verbally or in writing, to individuals or organizations who are not part of the federal government. For exceptions to this rule, please consult with your legal services.

    If just one of the three elements is lacking, the solicitor-client privilege will not apply, for example:

    • the communication is not between a lawyer and their client;
    • the communication is prepared by a lawyer but provides only policy advice and not legal advice on an issue;
    • the lawyer is advising on administrative matters and not on legal matters; or
    • the communication has not been treated in a confidential manner by either the client or the counsel
    Rationale for the solicitor-client privilege

    The exemption in section 27 protects the interest of solicitor-client privilege by ensuring that legal advice can be obtained without concern of disclosure. If an individual cannot confide in a lawyer knowing that what is said will not be revealed, it will be difficult, if not impossible, for that individual to obtain proper legal advice based on candid discussion within the solicitor-client relationship.

    Duration

    “Once privileged, always privileged” is the general principle, unless the privilege has been waived. In other words, the solicitor-client privilege is permanent in duration: it is neither limited by the passage of time nor the end of the issue that required the legal advice.

    Examples of solicitor-client privilege

    The solicitor-client privilege applies to any document that:

    • passes between lawyer and client and that contains information necessary for the giving or seeking of legal advice
    • sets out the law and contains information about what the client should prudently and sensibly do in a particular legal context
    • does not make specific reference to legal advice but falls within the normal exchange of communications between a client and lawyer within which legal advice is sought
    • on its face, makes reference to legal advice
    • includes performing services related to a legal issue pertaining to the client for which the professional skills and knowledge of a lawyer are required, even if the services might not be regarded as the provision of legal advice in the ordinary sense
    Limits to the scope of solicitor-client privilege

    Communications that are criminal in themselves, intended to further criminal purposes and evidence of the claimant party’s abuse of process or similar blameworthy conduct are not privileged. There are other exclusions to privilege, such as full answer and defence, however, institutions should defer to their legal services as these are too complex to be included in this manual.

    Settlement privilege (also known as “without prejudice” privilege) is not part of solicitor-client privilege, and therefore records protected by settlement privilege may not be protected from disclosure in response to an access request under section 27. Institutions should seek advice from their legal services and consider if other relevant exemptions may apply or if the right of access should be granted.

    Severance and solicitor-client privileged records

    In the decision Blank v. Canada (Minister of the Environment), 2001 FCA 374, the Federal Court of Appeal ruled that solicitor-client privilege does not apply to “general identifying information” that appears in a legal opinion, and should generally be severed and disclosed in compliance with section 25 of the ATIA. This is true unless the general identifying information would reveal the nature of the confidential legal communication or would provide clues about the content of the privileged information. The court held, under the ATIA, that if a record is only partially exempted from disclosure, what is left and thus disclosed must be understandable on its own. Otherwise, the non-privileged information does not have to be disclosed.

    Although not a provision under the Privacy Act, the concept of severability is now a requirement under section 4.2.25.5 of the Policy on Privacy Protection.

    “General identifying information” can include:

    • the description of the document (for example, the “memorandum” heading and internal file identification)
    • the name, title and address of the person to whom the communication was directed
    • the subject line
    • generally innocuous opening and closing words of the communication
    • the signature block

    Additional guidance on the principle of severability can be found in Chapter 9 of this manual.

    10.14.2 Litigation Privilege

    The litigation privilege, also known as the lawyer’s brief privilege, provides a zone of privacy in relation to pending or apprehended litigation. It ensures that parties can prepare their respective cases for trial privately, without adversarial interference and without fear of premature disclosure.Footnote 8

    All communications made and documents created or obtained for the dominant purpose of litigation are protected under the litigation privilege. Contrary to the solicitor-client privilege, the litigation privilege extends to communications of a non-confidential nature, as well as to those between the lawyer and third parties, or between or among non-lawyers (for example, witnesses, experts, labour relations).

    Legal requirements

    There are two legal requirements for the litigation privilege to apply:

    1. the document is created or obtained for the dominant purpose of litigation
    2. the litigation was ongoing or was reasonably anticipated at the time the document was created

    1. The document is created or obtained for the dominant purpose of litigation

    The records must be created or obtained for the dominant purpose of reasonably anticipated litigation. Also, if a record was created, obtained or compiled for the dominant purpose of litigation, the fact that it may also be used for other purposes does not affect the application of litigation privilege.

    2. The litigation was ongoing or was reasonably apprehended at the time the communication was made.

    The communication must be produced while the litigation is ongoing, or while litigation is reasonably contemplated; the litigation cannot be a mere vague possibility. However, the litigation privilege does not require the commencement of a court action to apply. Rather, in Hamalainen v. Sippola, 1991 CanLII 440, and confirmed in Blank v. Canada (Minister of Justice), 2006 SCC 39, the Supreme Court of Canada noted that “litigation can be said to be reasonably contemplated when a reasonable person, with the same knowledge of the situation as one or both of the parties, would find it unlikely that the dispute will be resolved without it.”

    Rationale for the litigation privilege

    The litigation privilege provides a zone of privacy for the litigator in which they can prepare the client’s case without fear of disclosure before making their case in court.

    Duration

    Unlike the solicitor-client privilege, the litigation privilege is temporary and lasts until litigation sharing the same “juridical source” comes to an end, as set out in Blank v. Canada (Minister of Justice), 2006 SCC 39, [2006] 2 S.C.R. 319. In general, this means that the litigation privilege ceases with the conclusion of the litigation of which it was born.

    In the decision Blank v. Canada (Minister of Justice), 2006 SCC 39, [2006] 2 S.C.R. 319 (at paragraph 39), the Supreme Court of Canada enlarged the definition of litigation to allow the privilege to be maintained in separate proceedings, when they are “closely related.” They include:

    • separate proceedings that involve the same or related parties and that arise from the same or a related cause of action; or
    • proceedings that raise issues that are common to the initial action and that share its essential purpose.

    The Supreme Court of Canada also reiterated that even if communications are no longer protected by the litigation privilege, they could also fall within the solicitor-client privilege, in which case they would “remain clearly and forever privileged.”

    Indeed, the Supreme Court recognizes that in practice, the solicitor-client privilege and the litigation privilege often overlap.

    Examples of litigation privileged records

    Non-exhaustive examples of documents protected under litigation privilege include:

    • correspondence between a lawyer and the client(s)
    • communications between a lawyer and third parties (for example, witnesses or experts)
    • documents relevant to the issues pleaded in the lawsuit that were produced by the parties
    • lists of potential witnesses
    • witness statements
    • letters retaining experts or commenting on their reports
    • research memoranda and legal authorities
    • annotations on records written by the litigator or notes taken by the litigator during the proceedings

    10.14.3 Distinctions between the two privileges

    To summarize:

    Solicitor-client privilege Litigation privilege
    Communication is usually between a lawyer and a client (unless extended under the continuum of communications). Communication can be between a solicitor and a client, a solicitor and third parties, or a litigant and third parties.
    Arises during the course of a solicitor-client relationship. Arises and operates even in the absence of a solicitor-client relationship and applies indiscriminately to all litigants (whether or not they are represented by counsel).
    Never ends (unless subject to waiver or covered by on exception). Principle of “once privileged, always privileged.” Comes to an end, absent closely related litigation, upon the termination of the litigation that gave rise to the privilege.

    10.14.4 Exercise of discretion

    Under section 27 of the Act, the head of the government institution, or the head’s delegate, has discretion to refuse to disclose the requested personal information protected by solicitor-client privilege, the professional secrecy of advocates and notaries, or the litigation privilege.

    In exercising this discretion, two questions must be considered:

    1. Is the requested information caught by the exemption?
      As a class-based exemption, the information must simply fall within one of the above-mentioned privileges and meet its legal requirements to apply.
    2. Should the requested information be disclosed even though it falls within the scope of the exemption?
      Deciding to disclose solicitor-client privilege information should be done in consultation with the Department of Justice Canada and after weighing the public and private interests favouring disclosure against those favouring non-disclosure. There is a strong public interest in preserving the confidential nature of the solicitor-client privilege. Discretion must be exercised reasonably, in good faith, and considering only relevant considerations.

    Institutions need to balance the right to access personal information with the interest this exemption protects. However, unlike other exemptions, the age of the record would not be a determining factor for consideration in the exercise of discretion given that the solicitor-client privilege is permanent in duration. Further, in the decision Ontario (Public Safety and Security) v. Criminal Lawyers’ Association, 2010 SCC 23, the Supreme Court of Canada noted the solicitor-client privilege is a near-absolute protection in recognition of the high public interest in maintaining the confidentiality of the solicitor-client relationship. The Court noted that it was difficult to see how a public interest override could ever operate to require disclosure of a document protected by solicitor-client privilege.

    In the context of section 27, there is no requirement for the head of the government institution or their delegate to expressly provide reasons to refuse the disclosure of privileged information to the requester, or to demonstrate prejudice, should the privileged information be disclosed.

    In the decision Canada (Justice) v. Blank, 2007 FCA 87, the Federal Court of Appeal indicated that the permissive nature of section 23 of the ATIA, which is the equivalent of section 27 of the Privacy Act, reflects the fact that the solicitor-client privilege may be waived by or on behalf of the client. It can be assumed that, by asserting the solicitor-client privilege, the client or a party acting on the client’s behalf has decided that waiver would not be in the public interest. There is no legal duty on the part of the Minister to expressly explain why the privilege is not being waived to the requester. Institutions are required under 4.1.18 of the Directive to document internally the factors considered when exercising discretion is discussed, recommendations are given, rationales are provided, and decisions are made.

    10.14.5 Waiver of the privilege

    The solicitor-client privilege, the professional secrecy of advocates and notaries, and the litigation privilege belong to the government institution in receipt of the legal services (the client). Consequently, the ability to waive these privileges also belongs to the government institutions.

    It is up to the institution to establish their own internal processes to determine who can waive those privileges within the organization and release privileged information in response to a personal information request. The internal processes must also cover the circumstances in which it is advisable to do so. Government institutions are encouraged to cover this topic in the delegation order signed by the head of a government under subsection 73(1) of the Act.

    That said, institutions are encouraged to consult their legal counsel before making such a determination.

    Disclosure that is required by law is not considered a waiver of the privilege. In certain instances, neither is inadvertent disclosure when actions are taken to mitigate the disclosure, where possible. See 10.14.6 for additional guidance as this relates to communications with the OPC.

    Waiver occurs when the client is aware of the existence of the privilege and voluntarily discloses the privileged information to a party outside the solicitor-client relationship. That said, the communication between departments or agencies of information protected by the privileges does not normally amount to waiver: the communication occurs within the government, which is the ultimate beneficiary of the privilege. Similarly, it is not a waiver of the solicitor-client privilege, nor the litigation privilege, when privileged information is shared between parties who have a “common interest.” For example, the privilege would not be lost if information was shared between the governments of Canada and British Columbia if they were both named in a lawsuit and had decided on a joint defence or strategy.

    Once waived, the privilege cannot be recovered, nor applied to any future personal information request. This means that the head of the institution, or their delegate, could no longer exercise discretion under section 27 of the Act and must release the information for which the privilege has been waived.

    Consultation

    In its broadest sense, the client is the Crown or the Government of Canada as a whole. Though a case may be of greater interest to one or more institutions, the government at large is the ultimate beneficiary of the privilege, and the disclosure of privileged information by one institution may have an impact on other institutions.

    This is why institutions should always consult their legal counsel, especially when they do not have sufficient information to determine whether:

    • the information is privileged; and
    • the disclosure could:
      • injure the government’s legal positions or actual or pending litigation;
      • impede the ability of government institutions to communicate fully and frankly with their legal advisors; or
      • lead to waiver of the solicitor-client privilege with regard to other related documents.

    Institutions whose legal counsel report to the Department of Justice Canada should consult the Access to Information and Privacy Office at the Department of Justice Canada if they require more information for the proper exercise of discretion to withhold, or if they intend to disclose records that contain privileged information. However, as per 4.1.24 of the Directive, institutions are not required to consult the Department of Justice Canada if they have sufficient information to effectively exercise their discretion and apply the privilege exemptions.

    10.14.6 Communications with the Office of the Privacy Commissioner

    Disclosing privileged documents that are part of the subject matter of a personal information request to the OPC during the investigation of a complaint made under the Act does not amount to waiver, as per subsection 34(2.2) of the Act. Under subsection 34(2.1) of the Act, information withheld from a requester as privileged under section 27 should be provided to the OPC during an investigation, if requested.

    There are instances, however, where privileged information should not be communicated to the Privacy Commissioner. Legal advice that is not in itself the subject of the request but was obtained during the processing of the request or during the investigation of a complaint concerning the request should not be included with the information provided to the Privacy Commissioner for examination. In the decision Canada (Attorney General) v. Canada (Information Commissioner), 2005 FCA 199 (Mel Cappe), the Federal Court of Appeal ruled that legal advice prepared to advise a government institution as to how it should respond to a request for access to information cannot be examined by the Information Commissioner unless absolutely necessary for the Commissioner to complete their investigation with respect to that same request. Although this decision dealt with the ATIA, it would likely also apply to the Privacy Act.

    10.15 Section 27.1: Protected information – patents and trademarks

    Section 27.1 of the Act is a discretionary exemption based on a class test that protects communications between patent agents or trademark agents and their clients. This section would typically be applied to “views or opinions of another individual about the individual” who is making the request, as per paragraph (g) of the definition of “personal information” found in section 3 of the Act.

    Communications with patent agents that are protected must meet the following conditions to be included in the class, as per subsection 16.1(1) of the Patent Act:

    • they are between the patent agent who holds a patent agent licence or patent agent in training licence, or an individual authorized to act on their behalf, and that individual’s client
    • they are intended to be confidential
    • they are made for the purpose of seeking or giving advice with respect to any matter relating to the protection of an invention

    Communications with trademark agents that are protected must meet the following conditions to be included in the class, as per section 51.13 of the Trademarks Act:

    • they are between the trademark agent, who holds a trademark agent licence or trademark agent in training licence, or an individual authorized to act on their behalf, and that individual’s client
    • they are intended to be confidential
    • they are made for the purpose of seeking or giving advice with respect to any matter relating to the protection of a trademark, a geographical indication or a mark referred to in subparagraphs 9(1)(e), (i), (i.1), (i.3), (n) or (n.1) of the Trademarks Act

    If just one of the three elements is lacking, the exemption cannot be applied.

    10.15.1 Rationale for the patent and trademarks privilege

    The interest protected by the patent and trademarks advice privilege is the interest of all persons to have full and ready access to advice on inventions, trademarks and so on without concern of disclosure. If an individual cannot confide in an agent knowing that what is said will not be revealed, it will be difficult, if not impossible, for that individual to obtain proper advice on their innovation based on candid discussion.

    10.15.2 Duration

    The patent and trademark advice privilege is not limited by the passage of time, and the privilege does not end.

    10.15.3 Exercise of discretion

    Section 27.1 of the Act gives the head of a government institution who receives a request for access to personal information the discretion to invoke the patent and trademarks privilege or not.

    There are two types of decisions to be made in relation to section 27.1:

    1. A factual decision: Is the requested information subject to patents or trademarks privilege? In other words, have the legal requirements explained above been met?
    2. A discretionary decision: Should the information nevertheless be disclosed?

    This requires a balancing of the reasons for non-release of privileged information against reasonable factors in favour of release, followed by an exercise of discretion one way or the other. For section 27.1 to apply, heads of institutions do not have to demonstrate prejudice; neither do they have to give reasons for the refusal to disclose.

    10.16 Section 28: Medical record

    Section 28 of the Act provides that a government institution may refuse to disclose any personal information that relates to the physical or mental health of the individual requesting the information when that person’s examination of the information would be contrary to their best interests.

    This is a discretionary exemption based on an injury test. It is not intended to prevent individuals from having access to all medical records, but rather where the disclosure of the information would be contrary to the best interest, in terms of personal health, of the individual.

    Subsection 13(1) of the Privacy Regulations (the Regulations) permits the head of the government institution to obtain an opinion from a qualified medical practitioner or psychologist when applying this section. The institution may allow the individual to have the information examined by a medical practitioner or psychologist of their choosing, where the institution is satisfied that the person chosen is qualified to determine whether disclosure would be contrary to the applicant’s best interests.

    Subsection 13(2) of the Regulations precludes the reviewing medical practitioner or psychologist to disclose the personal information to any other person, except to a duly qualified medical practitioner or psychologist for the purposes of obtaining their opinion. Institutions should remind practitioners and psychologists of their obligations when personal information is forwarded to them requesting their professional opinion, and request that they return the information to the institution after the review has been completed.

    Section 14 of the Regulations provides that an individual who is given access to personal information relating to their physical or mental health may be required to examine the information in person and in the presence of a duly qualified medical practitioner or psychologist who may explain or clarify the information to the individual.

    The standard of proof that must be met by a government institution that wants to invoke this exemption should thus be the civil standard of the balance of probabilities, a higher standard than what is required for the Privacy Act’s other injury-based exemptions.

    In the decision Dzevad Cemerlic MD v. Canada (Solicitor General), 2003 FCT 133, the Federal Court stated that section 28 is discretionary and that two requirements must be met before a government institution can apply the exemption. The first is that the information in question relate to the physical or mental health of the individual who requested it. The second is that an assessment be made by the head of a government institution on whether the release of the requested information is in the best interests of the individual. It was the Court’s view that:

    A government institution bears a heavy onus in justifying an exemption under section 28. Unlike the other exemptions in the Act, which balance an individual’s right to personal information with the interests of others, section 28 involves a balancing of an individual’s right to personal information with his or her own best interests as determined by the head of a government institution. It hardly needs to be said that in our society individuals are generally entitled to decide what is in their own best interests. This entitlement should not be taken away lightly.

    The decision on best interests must ultimately be made by either the head of the government institution or their delegate, not the actual medical practitioner or psychologist. However, the practitioner or psychologist will play a valuable role in the process, as their opinion will be one of the factors that the head or designate will consider as they make a final determination.

    When considering the harm to an individual, the head of the institution should consider if the information has already been communicated to the individual, or if there is an intent to communicate to them in the future. While section 14 provides duly qualified medical practitioner or psychologist can be present to explain or clarify the information to the individual, this may not be sufficient in all cases. For example, if there is a recommendation on file that an individual not return to work, but the individual has not yet been so informed, the qualified medical practitioner or psychologist may not be able to speak to the ramifications of the recommendations as it relates their employment. The information ought to be communicated using an alternate and established channel that the institution has available for these types of scenarios.

    This exemption may also be relevant where an individual with a long and difficult history of mental instability might suffer grave mental or physical trauma if information about certain diagnoses were made available to them, or if a treatment plan is suggested, but has not yet been discussed with them.

    Institutions may consider if section 26 (Information about another individual) of the Act (subsection 10.13) may also be applied where information about other individuals is interwoven with individuals’ medical records. Section 25 (Safety of individuals) of the Act (subsection 10.12) may also be considered if the requested information may threaten the life, bodily integrity or psychological health of the individual. However, the application of this exemption may in of itself cause the harm to which it is trying to protect.

    10.17 Other grounds for refusing access: subsection 33(1) of the Act – Protection of representations made to the Privacy Commissioner in the context of an investigation

    Subsection 33(1) requires that every investigation by the Privacy Commissioner of a complaint under the Privacy Act be conducted in private. Subsection 33(2) guarantees both the complainant and the head of the government institution concerned an opportunity to make representations. However, “no one is entitled as of right to be present during, to have access to or to comment on representations made to the Commissioner by any other person.” There are also additional provisions in sections 62 to 65 the Act that outline additional security, confidentiality and disclosure restrictions as they relate to the information received or obtained during an investigation under the Act.

    While section 33 does not fall within the headings of Exemptions or Exclusions in the Act, in Rubin v. Canada (Clerk of the Privy Council) (C.A.), [1994] 2 F.C. 707, confirmed on appeal to the Supreme Court of Canada in Rubin v. Canada (Clerk of the Privy Council), [1996] 1 S.C.R. 6, both Courts concluded that representations made by a government institution to the Information Commissioner in the course of an investigation and the responses from the Commissioner to the institution must be excluded from disclosure under section 35 of the ATIA if there is an access to information request. Such protection from disclosure exists not only for representations made in an ongoing investigation of the Commissioner, but also for representations made in respect of an investigation that has been completed. Section 35 of the ATIA affords the same parallel protections to the investigative process as section 33 of the Privacy Act, and both cases should be considered in building a rationale to support denying access to information pertaining to a complaint investigated by either Commissioner.

    Institutions can process information that would fall under section 33 of the Privacy Act as though it is a mandatory class exemption with no time limit to its protection. The following is a non-exhaustive list of examples of information that can be protected from disclosure under subsection 33(2) of the Act:

    • representations made by a government institution to the Commissioner, including documents attached to such representations
    • responses from the Commissioner’s office
    • references, in other documents, to representations provided to the Commissioner or references to responses received from the Commissioner during an investigation.

    In the rare cases that the information is addressed to all parties (complainant, the government institution concerned, and an investigator working for the OPC), institutions may consider releasing that information if it forms part of the request. However, if the information branches off into discussions that are only between the government institution concerned and the OPC, access should be denied.

    Throughout this manual, other exemptions have been introduced for consideration as institutions are permitted to invoke more than one exemption, as applicable. In this case, although it would seem logical to suggest a possible application of paragraph 22(1)(b), Rubin v. Canada (Clerk of the Privy Council) (C.A.), [1994] 2 F.C. 707 affirmed that if section 35 of ATIA is used to deny access, it is not necessary to invoke another exemption. Only the OPC, see section 10.6 of this manual) may apply an exemption, section 22.1, to personal information obtained or created by the Privacy Commissioner or on their behalf.

    A model letter has been developed to assist institutions in communicating the denial of access. While investigations are conducted in private, it is not necessary to “neither confirm nor deny” the existence of a record by invoking subsection 16(2) of the Act.

  • Chapter 11: Exclusions

    Date updated: 2024-12-09
    ATI Manual Cross-reference

    Sections 69 and 70 of the Privacy Act (the Act) are referred to as “exclusions” as they cover information that is excluded from the application of theAct, or from parts of the Act. For that information which is entirely excluded from the application of the Act, individuals do not have a right of access. This chapter provides a description of materials that do not fall under the Act.

    11.1 Section 69: Library and museum material and personal information

    11.1.1 Subsection 69(1): Library and museum material

    Paragraph 69(1)(a) of the Act excludes library or museum material preserved solely for public reference or exhibition purposes from the coverage of the Act. This personal information is not held by government for its own or normal “governmental” purposes. Thus, it is not the type of information to which this type of legislation is intended to apply to.

    In addition, paragraph 69(1)(b) excludes material that has been placed by or for a person or organization other than a government institution in the following establishments:

    • Canadian Museum for Human Rights
    • Canadian Museum of History
    • Canadian Museum of Immigration at Pier 21
    • Canadian Museum of Nature
    • Library and Archives Canada
    • National Gallery of Canada
    • National Museum of Science and Technology

    This includes both private and public collections of papers and records placed in those institutions other than by a government institution, by or on behalf of individuals, corporations and other groups. By excluding the application of the Act to this material, it recognizes the right of donors of information to set their own conditions with respect to the disclosure of the information.

    11.1.2 Subsection 69(2): Personal information that is publicly available

    Subsection 69(2) of the Act provides that sections 7 and 8 of the Act, which set parameters for the use and disclosure of personal information, do not apply to personal information that is publicly available. Both paragraph 19(2)(b) of the Access to Information Act (ATIA) and section 26 of the Privacy Act consider “information that is publicly available” in their application. For information on the collection, use, disclosure and retention of personal information that is publicly available online, refer to Privacy Implementation Notice 2023-03.

    Although sections 7 and 8 do not apply when personal information is publicly available, all other provisions of the Act continue to apply. For example, even if the personal information is publicly available, individuals continue to have the right to access and correct their personal information under the control of a government.

    The term “publicly available” is not defined in the Privacy Actor the ATIA. For reference, the term is defined in the Communications Security Establishment Act, as follows:

    “Information that has been published or broadcast for public consumption, is accessible to the public on the global information infrastructure or otherwise or is available to the public on request, by subscription or by purchase. It does not include information in respect of which a Canadian or a person in Canada has a reasonable expectation of privacy.”

    Additionally, the term is defined in Personal Information Protection and Electronic Documents Act (PIPEDA)’s Regulations Specifying Publicly Available Information, with the relevant paragraphs included below:

    • 1(c) personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry
    • 1(d) personal information that appears in a record or document of a judicial or quasi-judicial body, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document
    • 1(e) personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information

    Both the Communications Security Establishment Act and PIPEDA regulations are included to make institutions aware of potentially relevant interpretations of the concept of publicly available information, but are not determinative as to how the courts may interpret the term under the Privacy Act.  

    The term was interpreted by the Federal Court in the decision Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2005 FC 384, (rev’d on other grounds; 2006 FCA 157). The Federal Court held that for information to be in the public domain, it must be available on an ongoing basis for use by the public. In addition, the Court noted the use of the present tense in subsection 19(2) of the ATIA: “the provision allows the head of a government institution to disclose information if the information ‘is’ publicly available.” In other words, paragraph 19(2)(b) of the ATIA applies to personal information that is currently publicly available, and not to information that may have been publicly available at some point in time in the past and that is no longer publicly available.

    Other court cases on paragraph 19(2)(b) of the ATIA have held the following:

    • Personal information is publicly available if it could have been gleaned from public records.Footnote 1 Additionally, information found in a directory available at the Library of Parliament is publicly available. The fact that permission is needed to use the Library of Parliament does not detract from the public availability of the information.Footnote 2
    • Information that has been disclosed by inadvertence does not become publicly available.Footnote 3

    Although these four decisions were rendered under the ATIA, they may assist in the interpretation of subsection 69(2) of the Privacy Act.

    Therefore, personal information may be considered “publicly available” when:

    • it is in some form currently available to the public (for example, in a newspaper, magazine, blog, on television, radio or podcast, or on a website) or when it is available in a publicly accessible record such as a court file (for example, Federal Court Registry) or a publicly accessible data set
    • it is reasonably accessible to the public, not just a select class of people
    • it could have been compiled, with little effort, from a number of distinct public records or through a comparison of source documents obtained through a computer search engine
    • it is evident that the individual has chosen to make their personal information available in a public forum, for example, personal information that is verified as having been provided in a media interview or a letter to the editor by the individual concerned
    • it has been made public by design, that is, by law or with the individual’s consent and not by accident or inadvertent disclosure

    An assessment should always be done of how public the information really is before disclosing personal information. For example, when considering whether to disclose a court record, one should ensure that there is no type of confidentiality or sealing or other order that restricts access to the record.Footnote 4

    When considering disclosing personal information that is in the public domain, one must ensure that:

    • the personal information to be disclosed is the same as the information that is in the public domain
    • the public continues to have access to the information
    • the information has been obtained legitimately (and not by inadvertence or by means of a leak, hack or theft)

    11.2 Section 69.1: Personal information collected, used or disclosed by the Canadian Broadcasting Corporation

    Section 69.1 excludes from the coverage of the Act personal information that was collected, used or disclosed by the Canadian Broadcasting Corporation (CBC) for journalistic, artistic or literary purposes, provided that the CBC does not collect, use or disclose the personal information for any other purpose. Accordingly, provided that the personal information is collected, used or disclosed by the CBC exclusively for journalistic, artistic or literary purposes, the exclusion of section 69.1 can be invoked by the CBC in respect of requests for personal information that it receives. The exclusion protects information about journalistic sources, as well as the creative and programming independence of the CBC.

    The exclusion is available only to the CBC and its wholly owned subsidiaries, within the meaning of section 83 of the Financial Administration Act. As of November 2024, the CBC did not have any wholly owned subsidiaries.

    Section 69.1 is meant to ensure that personal information collected, used and disclosed for news programming and artistic and literary performance is not subjected to the same constraints as personal information normally collected and used in the course of business. It protects the creative and programming independence of the CBC.

    However, the exclusion does not apply to personal information that relates to any other type of activities of the CBC, such as human resources activities, training and performance evaluation. In addition, the exclusion also would not apply if the personal information was collected, used or disclosed for a journalistic, artistic or literary purpose, but also for another purpose. For example, if the CBC collects personal information for a journalistic purpose, but in parallel also uses it for general administration purposes (for audit purposes for example), it cannot claim the exclusion for the secondary purpose. In such a case, the provisions of the Act apply and the CBC must provide a right of access to the personal information, subject to any applicable exemptions.

    11.3 Section 70: Confidences of the King’s Privy Council for CanadaFootnote 5 (Cabinet confidences)

    11.3.1 Principles

    The Government of Canada is based on a Cabinet system. Cabinet is comprised of ministers acting in the name of the King’s Privy Council for Canada and establishes the federal government’s policies and priorities for the country. Ministers are collectively responsible for all actions taken by the Cabinet and must publicly support all Cabinet decisions. In order to reach final decisions, ministers must be able to express their views freely during the discussions held in Cabinet. To allow the exchange of views to be disclosed publicly would result in the erosion of the collective responsibility of ministers. As a result, the collective decision‑making process has traditionally been protected by the rule of confidentiality, which upholds the principle of collective responsibility and enables ministers to engage in full and frank discussions necessary for the effective functioning of a Cabinet system.Footnote 6

    The Supreme Court of Canada has recognized that Cabinet confidentiality is essential to good government. In the decision Babcock v. Canada (Attorney General), 2002 SCC 57 at paragraph 18, the Court explained the reasons for this: “The process of democratic governance works best when Cabinet members charged with government policy and decision-making are free to express themselves around the Cabinet table unreservedly.”

    To preserve this rule of confidentiality, subsection 70(1) of the Act provides that the Act does not apply to confidences of the King’s Privy Council for Canada. For convenience, throughout this chapter, “confidences” will be used to refer to “confidences of the King’s Privy Council for Canada.”

    Subsection 70(1) sets out a non-exhaustive list of types of documents that are deemed to be confidences (see section 11.3.3 below). In addition, access to confidences is restricted to authorized individuals, particularly ministerial and departmental personnel. Cabinet confidentiality cannot be claimed if it is knowingly given to an unauthorized person (see Babcock at paragraph 45–47 and Canada (Privy Council) v. Pelletier, 2005 FCA 118 at paragraphs 25–26). A reminder that—independent of the security categorization, confidentiality clauses, or sensitivity assigned to a particular document—ATIP offices must still review information for relevant exemptions and exclusions. As such, certain ATIP analysts and their chain of command will have a need-to-know and have the appropriate security clearance to review Cabinet confidences. Their duties require access to the records provided as part of the request.

    The Clerk of the Privy Council is responsible for policies on the administration of confidences of the King's Privy Council for Canada and for the ultimate determination of what constitutes such confidences, and must be consulted in a manner consistent with the guidance set out in this chapter.

    Although all of the decisions cited in this section of this chapter were rendered under the ATIA, they would likely be persuasive in the interpretation of subsection 70(1) of the Privacy Act. In practice, Cabinet confidences are rarely found in materials that are responsive to a personal information request.

    Between 2013–23, an exclusion under subsection 70(1) was applied a total of 59 times for all personal information requests processed across all institutions. These may have included Cabinet confidences about the requester or requests that included Cabinet confidences in which the requester was involved.

    11.3.2 Meaning of “Council”

    Subsection 70(2) of the Act states that “Council” means the King’s Privy Council for Canada, committees of the King’s Privy Council for Canada, Cabinet and committees of Cabinet. Committees of Cabinet include standing committees, ad hoc committees and any other committee of ministers. In addition, meetings or discussions between ministers can result in the creation of records that are Cabinet confidences, providing that the discussions concern the making of government decisions or the formulation of government policy.

    11.3.3 Types of documents

    Paragraphs 70(1)(a) through 70(1)(f) of the Act sets out a list of six types of documents that are deemed to be Cabinet confidences. The six types of documents do not constitute an exhaustive list, but rather provide examples of records that are considered Cabinet confidences. The six types of records are described below.

    (a) Memoranda

    Paragraph 70(1)(a) excludes from the application of the Act any information contained in records the purpose of which is to present proposals or recommendations to Cabinet. This group of records includes, but is not restricted to, documents entitled “Memorandum to Cabinet.” For example, submissions to the Treasury Board are records that present proposals or recommendations to Cabinet. The determining features are the purpose for which a record was prepared and its contents, not the title of the document.

    Generally, a memorandum that presents proposals to Cabinet will be signed by the minister recommending the action proposed. However, this is not always so. Memoranda may be signed by the secretary to the Cabinet or by a secretary to a committee of Cabinet and still be a confidence.

    Drafts of memoranda are also confidences. For instance, a draft memorandum that was created for the purpose of presenting proposals and recommendations to Cabinet, but that was never actually presented to Cabinet remains a confidence. Equally, a memorandum in final form is a confidence, even if it has not been presented to Cabinet.

    A record that has been appended to a memorandum to Cabinet is not necessarily a confidence. The purpose of the record and where it is found are factors to consider when determining whether a record is a confidence, as explained in the following examples:

    • A record was prepared to present recommendations or proposals to Cabinet and was appended to a memorandum to Cabinet. The original record and all copies, including the actual appendix to the memorandum, are Cabinet confidences.
    • Newspaper clippings, tables of statistics and reports prepared for use within a department were appended to a memorandum to Cabinet. The originals of these records are not confidences since they were not prepared for the purpose of presenting recommendations or proposals to Cabinet. They do not become confidences simply because they are attached to a memorandum to Cabinet. However, the copies of these records appended to the memorandum are Cabinet confidences. In addition, the fact that the records were attached to a memorandum to Cabinet is in itself a Cabinet confidence and should not be revealed.
    (b) Discussion papers

    Paragraph 70(1)(b) excludes from the application of the Act any information contained in discussion papers the purpose of which is to present background explanations, analyses of problems, or policy options to Cabinet for consideration by Cabinet in making decisions. In 1984, the Cabinet Papers System was changed, and discussion papers ceased to be produced.

    In the case Canada (Minister of Environment) v. Canada (Information Commissioner), 2003 FCA 68 (often referred to as the Ethyl case), the Federal Court of Appeal concluded that those parts of memoranda to Cabinet, or records used to brief ministers, which are the equivalent of what used to be found in discussion papers (such as background explanations, analysis of problems, policy options), whether they are found within or appended to a document, must be identified and treated in the same manner as if they appeared in a discussion paper. As a result, those parts of a document forming an organized body or corpus of words that, when considered on its own, comes under the definition of a discussion paper and can be considered Cabinet confidences. These documents are excluded from the application of the Act. 

    Documents may also be mislabelled as discussion papers. When dealing with such documents, it is important to note that the title of the document does not determine the character of the document. For example, a document entitled “discussion paper” that contains recommendations or proposals to be presented to Cabinet is not a discussion paper for the purposes of section 70 of the Act, but rather a memorandum.

    Pursuant to paragraph 70(3)(b), discussion papers (and, as concluded in the Ethyl decision, portions of a document equivalent to discussion papers) are no longer excluded from the application of the Act if:

    • the decisions to which the discussion papers relate have been made public or,
    • the decisions have not been made public and four years have passed since the decisions were made.

    As a result, the Act will apply to information in these records, and unless an exemption applies, they will be disclosed in the event of a request under the Act. When no decision has been made, paragraph 70(3)(b) does not apply.

    (c) Agenda and records of Cabinet deliberations or decisions

    Paragraph 70(1)(c) excludes from the application of the Act any information contained in an agenda of Cabinet and records recording the deliberations or decisions of Cabinet. This type of record relates to Cabinet and Cabinet committee meetings and includes agendas, minutes and records of decisions (for example, decision letters of the Treasury Board). It should be noted that these records include drafts of these documents and informal notes taken by officials during Cabinet meetings or Cabinet committee meetings.

    A distinction must be made between the text of the formal Record of Decision and the substance of the Cabinet decision. The formal text of the Record of Decision more often than not remains a confidence and is excluded from the application of the Act for a period of 20 years. The substance of a decision reached by Cabinet may be disclosed to the public as deemed appropriate by Cabinet or by a minister with the approval of Cabinet. For example, the Treasury Board may wish to reflect its decision in circulars and manuals for implementation. If the decision is made public, any related discussion papers are now subject to the application of the Act pursuant to paragraph 70(3)(b), as explained above in (b).

    (d) Records of communications between ministers

    Paragraph 70(1)(d) excludes from the application of the Act any information contained in records used for or reflecting communications or discussions between ministers of the Crown on matters relating to the making of government decisions or the formulation of government policy.

    Such a record may take the form of a letter from one minister to another setting out the minister’s opinions or decisions. Also, information in a record that contains notes taken during informal discussions between ministers would be excluded from the application of the Act, as would any information in a record prepared for the use of the minister in discussion with another minister or ministers.

    Information in records of communications between ministers that were not used for or do not reflect discussions relating to the making of government decisions or the formulation of government policy do not fall under this category.

    (e) Records to brief ministers

    Paragraph 70(1)(e) excludes from the application of the Act any information contained in records the purpose of which is to brief ministers of the Crown in relation to matters that are before, or are proposed to be brought before, Cabinet. This paragraph also excludes information in records the purpose of which is to brief ministers in relation to matters that are the subject of communications or discussions between ministers concerning the making of government decisions or the formulation of government policy.

    The purpose of creating a record and its use are factors to consider in determining whether information in the record is excluded pursuant to paragraph 70(1)(e). For example, a formal Record of Decision directs a government department to develop policy recommendations for its minister on a particular subject. Departmental officials attend meetings for which agendas are prepared, notes are made of the proceedings, and reports are developed to be the basis of subsequent discussions on the same subject. Although the ultimate purpose of the meetings and reports is to develop policy recommendations for the minister’s use in their presentation to Cabinet, information in the records themselves is not a confidence. Records created for the use of officials while developing policy, not for the minister’s use, are subject to the Act. However, if any of the information in these records provides a link to Cabinet—in other words, reflects the collective decision-making and policy formulation processes of ministers—that information is excluded under subsection 70(1). In the same view, the end product—information in the record used by the minister to make a presentation to Cabinet—is a Cabinet confidence.

    (f) Draft legislation

    Paragraph 70(1)(f) excludes any information contained in draft legislation from the application of the Act. This provision relates to any drafts of legislation proposed by the government. It is not relevant whether the legislation was ever introduced into the House of Commons or the Senate or indeed seen by Cabinet; it still remains a Cabinet confidence.

    Draft legislation includes draft bills, draft regulations and draft orders in council. Draft legislation remains a confidence even after the final version is introduced in the House of Commons or the Senate. In the decision Quinn v. Canada (Prime Minister), 2011 FC 379, the Federal Court concluded that draft regulations examined by the Clerk of the Privy Council Office are excluded from the Act because such an examination is part of the regulatory process. Draft regulations and draft orders in council remain a confidence even after receiving approval by the Governor in Council and having been published.

    11.3.4 Time limits

    The operation of subsection 70(1) is subject to time limits set out in subsection 70(3) of the Act. Pursuant to paragraph 70(3)(a), Cabinet confidences that have been in existence for more than 20 years cannot be excluded under subsection 70(1) of the Act. After that time, information in the record becomes subject to the Act and may be released subject to any applicable exemptions.

    11.3.5 Procedures to be followed in the review of records subject to subsection 70(1)

    Although the Act does not apply to Cabinet confidences, an individual’s request for such a record must be answered. The response must make reference to section 70 of the Act and advise the requester of the right to complain to the Privacy Commissioner.

    Review by departmental ATIP officials

    Possible Cabinet confidences would not follow different procedures than any other records when retrieving from the Office of Primary Interest, apart from any additional safeguarding measures in accordance with their security classification. The ATIP office will review, and if they consider that records or portions of records contain possible Cabinet confidences, they should indicate which records or portion of records contain Cabinet confidences and which paragraph under section 70 applies. For example, if portions of a record contain information presenting proposals or recommendations to Cabinet, the officer should flag those portions with the following notation: “SEVER – 70(1)(a).” When a record does not fall within any of the six types of documents listed in subsection 70(1) but nonetheless contains information revealing the collective decision-making and policy formulation processes of ministers, the officer should flag the excluded information with the following notation: “SEVER – 70(1).”

    Consultations required
    a) Consultations with legal services

    ATIP offices are required to consult their legal services in all instances where information in response to a request may be a Cabinet confidence under the Act, as per 4.2.27 of the Policy on Privacy Protection (the Policy).

    Once the initial review process by the government institution has been completed, all records that may contain information that constitutes a Cabinet confidence must be sent to legal services for review. When sending the records to legal services, an explanation should be given by the ATIP office indicating why the record or portion of the record should be excluded under section 70. This is particularly important for documents that fall outside the formal Cabinet Papers System, but that reveal or reflect the collective decision-making and policy formulation processes of ministers (for example, correspondence with attached decks prepared for presentations to Cabinet, without reference to the presentation appearing at Cabinet on the slides).

    All documents are returned to ATIP offices after the review is done. If further questions arise at a later date, the documents will have to be sent back to legal services.

    Legal services, in their role as legal advisor, will advise their clients whether, in their opinion, the Act’s Cabinet confidence exclusion is applicable. Legal services are also required to keep a list of all documents to which they have recommended that the Cabinet confidence exclusion should apply. Legal services that form part of the Department of Justice Canada must render this list accessible to both the Privy Council Office Legal Services Sector and the Centre for Information and Privacy Law (CIPL) at the Department of Justice Canada Headquarters, upon request.

    b) Consultations with the Centre for Information and Privacy Law at the Department of Justice Canada and with the Privy Council Office – For legal services that form part of the Department of Justice Canada

    If there is any doubt as to whether information is a Cabinet confidence in cases involving complex fact situations or when there is a disagreement between the legal services and the ATIP office about the nature of the information, legal counsel at the Department of Justice Canada must first consult CIPL. If the matter cannot be resolved following this consultation, CIPL must consult with the Privy Council Legal Services Sector. In addition, consultations with the Privy Council Office are mandatory if documents contain discussion papers, as per the Ethyl decision described in section 11.3.3(b).

    Legal services that do not form part of the Department of Justice Canada should consult the Privy Council Office Legal Services Sector for advice, when needed.

    Review and consultation for discussion papers in accordance with the Ethyl decision

    Before consulting their legal services and if they have concluded that there is, within or appended to a Cabinet document, the equivalent of a discussion paper (“corpus of words”), the purpose of which was to present background explanations, analyses of problems or policy options to Council for considerations by Council in making decisions (see paragraph 70(1)(b)), ATIP offices must follow these steps:

    1. If the discussion paper contains recommendations or references to other confidences (for example, records of decision or draft legislation), bring this to the attention of legal counsel
    2. If a discussion paper is found within or appended to a memorandum to Cabinet or a record used to brief ministers, check to see if a decision has been made by Cabinet in relation to that Cabinet document by verifying the related Record of Decision
    3. Confirm that the decision relates to the discussion paper in question (you may have to consult several Records of Decision) and refer to the relevant Record of Decision
    4. If a decision has been made, determine whether subparagraphs 70(3)(b)(i) or 70(3)(b)(ii) apply
      1. Subparagraph 70(3)(b)(i): Decision has been made public
        1. Check to see if the decision has been made public; for example:
          • Did the Minister make an announcement in the House of Commons? (Check Hansard.)
          • Is there a news release that provides evidence of the decision having been made public?
        2. Provide a copy of the news release or any other material that provides evidence of the decision having been made public
      2. Subparagraph 70(3)(b)(ii): Decision was made more than four years ago
        1. Check to see if four years have passed since the decision was made (not four years since the date of the discussion paper)

    Upon being consulted by their clients, legal counsel must:

    1. consider whether information in the records are discussion papers subject to paragraph 70(3)(b), and whether they meet the criteria of subparagraphs 70(3)(b)(i) or 70(3)(b)(ii)
    2. seek confirmation from the Privy Council Legal Services Sector whether or not such records constitute discussion papers
    3. inform their clients of the result of their consultation with the Privy Council Office

    Upon being informed of the result of the consultation with the Privy Council Office, ATIP offices must:

    1. exclude the record if paragraph 70(1)(b) applies and the criteria set out in subparagraphs 70(3)(b)(i) or 70(3)(b)(ii) have not been met, or
    2. if the criteria set out in subparagraphs 70(3)(b)(i) or 70(3)(b)(ii) have been met, the discussion paper is subject to the Act, so check to see if any exemption provisions apply to the information
    Severance

    Whenever possible and after consulting with legal counsel, the principle of severability should be adopted to separate, on any pages that contains a Cabinet confidence, any personal information requested under the Act that is not itself a Cabinet confidence. If the Cabinet confidence can reasonably be severed from personal information, this should be done to allow the requested personal information to be subject to the Act.

    If severance is possible, ATIP offices should also review the remaining information to determine if any exemptions apply. Information that is excluded from the Act cannot also be exempted simultaneously.

    No discretionary power

    There is no discretionary power provided to an individual minister or government institution to make a Cabinet confidence accessible to the public.

    11.3.6 Investigation of a complaint

    In the event that a requester complains about the refusal of access to personal information, an investigator for the Office of the Privacy Commissioner of Canada, in accordance with subsection 34(2) of the Act, may ask to see any information recorded in any form under the control of a government institution to which the applicant was refused access. However, as explicitly stated in subsection 34(2), the investigator cannot have access to information in records or portions of records for which an exclusion under subsection 70(1) was applied. Only records from which Cabinet confidences have already been severed can be made available to the Privacy Commissioner. The Privacy Commissioner may, however, request confirmation that records or parts of records are Cabinet confidences. As per 4.2.28 of the Policy, upon such a request, institutions must acquire assurances that excluded information is a Cabinet confidence in compliance with established procedures.

    When a government institution receives a request for confirmation from the Privacy Commissioner, it must refer the request immediately to the ATIP coordinator, who will consult legal services to prepare the response. If there is any doubt concerning the preparation of the response, the legal services may consult with the Privy Council Office Legal Services Sector or, for departmental legal services that form part of the Department of Justice Canada, with CIPL.

    The ATIP coordinator may use the model confirmation letter in section 11.3.7 of this chapter, attaching a list that describes the contents of the records as indicated in the model list found in section 11.3.8 of this chapter. The confirmation letter must be sent within the time frame set out in the Privacy Commissioner’s request. If more time is needed, the ATIP coordinator should seek an extension from the Office of the Privacy Commissioner.

    A copy of the signed confirmation letter must be sent to the legal services at the same time the letter is sent to the Privacy Commissioner.

    11.3.7 Letter of confirmation

    Our file: [insert file number]

    [insert date]

    The Privacy Commissioner of Canada
    Office of the Privacy Commissioner of Canada
    30 Victoria Street
    Gatineau, Quebec
    K1A 1H3

    Dear [insert title and name]:

    On [insert date of notice of complaint], [insert name of institution] was notified that a complaint concerning the application of section 70 of the Privacy Act (the Act) had been filed in respect of request for access to personal information [insert request number]. I confirm that the document(s) or portion(s) thereof that is (are) the subject of request [insert request number] and is (are) described in the attached list is a (are) confidence(s) of the King’s Privy Council within the meaning of subsection 70(1) of the Act.

    The attached list provides a detailed description of the document(s), without divulging confidences of the King’s Privy Council, and sets out our conclusion(s) for the document (each of the documents).

    Sincerely,

    [insert Coordinator’s name and title]

    Enclosures

    c.c. Institutional Legal Counsel

    11.3.8 Model list prepared by the institution to be attached to the letter of confirmation

    List of documents attached to
    Letter from [insert coordinator’s name]
    Dated [insert date of letter]

    File [insert file number]

    Document no.

    1.
    (pp. 1–24)

    Description and conclusion

    Submission the purpose of which is to present proposals and recommendations to Treasury Board regarding a public servant in receipt of a pension.
    To: Treasury Board
    From: The Minister of Public Safety
    Date: January 17, 2024
    Conclusion: Exclude

    • Pages 1 to 24 entirely
      70(1)(a)

    2.
    (pp. 25‒56)

    Memorandum containing information the purpose of which is to present proposals and recommendations to Cabinet regarding a list of Governor in Council nominations.
    To: Cabinet
    From: The Minister of Justice
    Date: February 15, 2024
    Conclusion: Sever

    • Pages 25 to 51 entirely
      70(1)(a)

    3.
    (pp. 57-58)

    Email containing information about the contents of proposals and recommendations to Cabinet regarding a list of Governor in Council nominations.
    To: Director, Policy Sector
    From: Deputy Director, Policy Sector
    Re: Executive Summary
    Date: March 22, 2024
    Conclusion: Sever

    • Page 57, paragraph 4, 1st sentence entirely
      70(1)(a)
    • Page 58 entirely
      70(1)(a)

    4.
    (p. 59)

    Treasury Board letter recording a decision regarding a public servant in receipt of a pension.
    To: The Deputy Minister of Public Safety
    From: The Secretary of the Treasury Board
    Date: April 29, 2024
    Conclusion: Exclude

    • Page 59 entirely
      70(1)(c)

    5.
    (pp. 60-62)

    Handwritten notes containing information about the contents of an agenda of Cabinet.
    From: The Deputy Secretary to Cabinet
    Date: May 6, 2024
    Conclusion: Sever

    • Pages 62 entirely
      70(1)(c)

    6.
    (pp. 63-72)

    Letter reflecting communications between ministers of the Crown on a matter relating to the making of government decisions.
    To: The Minister of Public Safety
    From: The President of the Treasury Board
    Date: June 17, 2024
    Conclusion: Exclude

    • Pages 63 to 72 entirely
      70(1)(d)

    7.
    (pp. 73-77)

    Memorandum containing information about the contents of a letter reflecting communications between ministers of the Crown on a matter relating to the making of government decisions.
    To: The Clerk of the Privy Council
    From: The Deputy Minister, Natural Resources
    Re: Green Project
    Date: July 15, 2024
    Conclusion: Sever

    • Page 74, paragraph 3, 4th and 5th sentences entirely
      70(1)(d)

    8.
    (pp. 78-81)

    Briefing note and attachments the purpose of which is to brief ministers of the Crown in relation to matters that are proposed to be brought before Cabinet.
    To: The Minister of Justice
    From: The Deputy Minister of Justice
    Date: August 8, 2024
    Conclusion: Exclude

    • Pages 78 to 81 entirely
      70(1)(e)

    9.
    (pp. 92-106)

    Letter and attachment
    To: The Minister
    From: The Deputy Minister
    Date: September 27, 2024
    Conclusion: Not a confidence

    11.3.9 Review by the Federal Court

    Once the Privacy Commissioner has completed their investigation and issued their report in respect of a complaint relating to the application of section 70 of the Act, the requester or the Privacy Commissioner, with the consent of the requester, may apply to the Federal Court of Canada under paragraph 42(a) for a review of the decision to exclude the records in question. Both the Federal Court and the Federal Court of Appeal have agreed in separate judgments that decisions to exclude records requested under theATIAbased on section 69 (which in relevant respects is equivalent to section 70 of the Act) could be reviewed by the court and that the proper standard of review was the correctness standard.Footnote 7 In both instances, however, the Courts concluded that to conduct a review, they cannot have access to the documents that are the object of the dispute and that the government institution claims are Cabinet confidences. The Court stated that it could, however, use extrinsic evidence to determine whether section 69 of the ATIA had been correctly applied.

    Also, in Quinn v. Canada (Prime Minister), the Federal Court held that the authority to refuse the disclosure of a Cabinet confidence requested under the ATIA derives directly from the requirements of the law. The Court also held that there is no need for a separate certification process under section 39 of the Canada Evidence Act in proceedings where the application of the Cabinet confidences exclusion is challenged.Footnote 8

    11.4 Section 70.1: Certificate under the Canada Evidence Act

    Section 38.13 of the Canada Evidence Act authorizes the Attorney General of Canada to issue a certificate that prohibits the disclosure of information in connection with a proceeding for the purpose of protecting:

    • information obtained in confidence from, or in relation to, a foreign entity as defined in subsection 2(1) of the Foreign Interference and Security of Information Act, or
    • national defence or national security

    If a complaint to the Privacy Commissioner regarding the processing of a personal information request is filed after the issuance of a certificate under section 38.13 of the Canada Evidence Act, subsection 70.1(1) excludes the informationsubject to the certificate from the right of access. Therefore, the individual who is the subject of the certificate cannot access the information following a complaint.

    If a complaint was filed prior to the issuance of a certificate, subsection 70.1(2) of the Privacy Act provides that all proceedings under the Privacy Act in respect of that complaint, including an investigation, audit, appeal or judicial review, are discontinued. It also prohibits the Privacy Commissioner from disclosing the information, and requires the Privacy Commissioner to take all necessary precautions to prevent its disclosure and to return the information to the head of the government institution within 10 days after the certificate is published in the Canada Gazette.

    It is recommended that institutions consult their legal counsel in all situations involving the issuance of a certificate under section 38.13 of the Canada Evidence Act.

  • Chapter 12 – Investigations and Reviews

    Date updated: 2024-05-15
    ATI Manual Cross-reference

    The Privacy Act (the Act) provides for a two‑tiered system of review of refusal decisions where an individual has been refused access to personal information requested under the Act by heads of government institutions.

    The first review stage is a complaint to the Privacy Commissioner, an Agent of Parliament who reports directly to the House of Commons and the Senate. The Privacy Commissioner investigates complaints from individuals who believe federal institutions have not respected their rights under the Act.

    The second review stage is an application to the Federal Court of Canada for a review of the refusal of access after the Privacy Commissioner has investigated the matter and provided a report of the results of the investigation.

    In addition, the Commissioner also carries out investigations of other matters including complaints from individuals relating to the collection, use, disclosure, accuracy, disposal and retention of personal information, and personal information banks. The Commissioner may also initiate complaints into such matters and may review exempt banks and compliance with sections 4 to 8 of the Act.

    12.1 Complaints to the Privacy Commissioner (sections 29 to 30)

    Subsection 29(1) of the Act provides that the following matters related to personal information requests may be the subject of a complaint to the Privacy Commissioner:

    • refusal of access to personal information requested under subsection 12(1) of the Act
    • failure to accord rights relating to the correction or notation of personal information or refusal to grant corrections under subsection 12(2) without justification
    • unreasonableness of the extension of time limits under section 15 for responding to a request
    • failure to provide access to a record or a part thereof in the official language preferred by the requester under subsection 17(2)
    • failure provide access to a record or a part thereof in an alternative format under subsection 17(3)
    • any other matter relating to requesting or obtaining access under subsection 12(1) to personal information

    Complaints to the Privacy Commissioner may be brought by an individual or their authorized representative. Institutions can attempt to reach a resolution with the individual both before and after a formal complaint has been brought. If an attempt is made after a complaint is brought, the institution should so advise the Office of the Privacy Commissioner (OPC).

    Under section 30 of the Act, a complaint to the Privacy Commissioner must be made in writing, unless the Commissioner authorizes otherwise.

    The Privacy Commissioner may also initiate, under subsection 29(3), an investigation into any matter under the Act, if satisfied that there are reasonable grounds for doing so. This means that the Commissioner is free to act without a complaint being lodged by an individual if a matter comes to their attention and the Commissioner has reasonable grounds to believe that an investigation should be carried out.

    12.1.1 Notification to a requester of their right to complain

    The Act requires the head of a government institution to notify a requester about their right to make a complaint to the Privacy Commissioner when either of the following occurs:

    1. The time limits are extended under section 15
    2. Access to any personal information requested under subsection 12(1) is refused under subsection 16(1)

    In addition, the Directive on Personal Information Requests and Correction of Personal Information (the Directive) requires institutions to notify requesters of their right to complain for all matters relating to the request.

    12.1.2 Timeline for filing a complaint relating to access to personal information

    Unlike the Access to Information Act (ATIA), there is no time limit under the Privacy Act governing when a complaint to the Privacy Commissioner may be made.

    12.2 Investigation

    12.2.1 Procedures

    Section 32 of the Act gives the Privacy Commissioner broad discretion to determine the procedure to be followed in the performance of any of their duties or functions under the Act. When receiving and investigating a complaint, the main procedural requirements imposed on the Privacy Commissioner by the Act are the obligations to:

    • give notice to the head of the government institution concerned of the Commissioner’s intention to carry out an investigation and inform the head of the substance of the complaint (section 31)
    • conduct investigations in private (section 33)
    • provide the person who made the complaint and the head of the institution with an opportunity to make representations (subsection 33(2))
    • make a report at the conclusion of an investigation (section 35)
    Notice of intention to investigate

    Section 31 of the Act requires that before commencing an investigation of a complaint under this Act, the Privacy Commissioner shall notify the head of the government institution concerned of the intention to carry out the investigation and shall inform the head of the institution of the substance of the complaint. In practice, notice is given generally to the head of the institution’s delegate.

    Opportunity to make representations

    Subsection 33(2) of the Act ensures that government institutions will be given a reasonable opportunity to make representations to the Privacy Commissioner in the course of an investigation, as will the person who lodged the complaint. The representations of the government institution may support the institution’s actions, acknowledge deficiencies or errors, suggest appropriate corrective action, or any combination thereof.

    Institutions are responsible for the representations they make to the Privacy Commissioner. If, in the view of the Privacy Commissioner, an institution fails to provide meaningful and appropriate representations, the Privacy Commissioner may refer to this in their report.

    The Privacy Commissioner conducts their investigations in private, but it provides reports of the investigation to both the complainant and the head of the government institution involved in the complaint. (See the sections below on sections 33 and 35 of the Act.)

    12.2.2 Powers of the Privacy Commissioner

    Subsection 34(1) of the Act provides that the Privacy Commissioner has the power to do the following when carrying out investigations:

    • summon persons and compel them to give evidence and compel the production of documents that the Commissioner deems requisite to the full investigation of the complaint, in the same manner and to the same extent as a superior court of record
    • administer oaths
    • receive evidence, whether on oath, by affidavit or otherwise
    • enter any premises occupied by any government institution
    • converse in private with any person in such premises
    • examine or obtain copies of any records found in such premises that are relevant to an investigation

    Employees of a government institution or any other persons must not impede an investigation by the Privacy Commissioner. Section 68 of the Act provides that obstruction of the Commissioner or their delegates in the performance of duties and functions under the Act is an offence and subject, upon summary conviction, to a fine not to exceed $1,000. More information on offences is found in Chapter 13 of this manual.

    12.2.3 Access to records

    Under subsection 34(2) of the Act, government institutions must provide to the Privacy Commissioner for examination any information recorded in any form requested by the Commissioner that is under the control of the government institution, other than a Cabinet confidence excluded under subsection 70(1). There are, however, additional considerations for the Privacy Commissioner’s access to records subject to solicitor‑client privilege, the professional secrecy of advocates and notaries, excluded records and records held in a minister’s office.

    Records subject to solicitor‑client privilege

    To preserve solicitor‑client privilege and the professional secrecy of advocates and notaries, legal advice that is not in itself the subject of the request would not normally be included with the information provided to the Commissioner for examination. In Canada (Attorney General) v. Canada (Information Commissioner), 2005 FCA 199, the Federal Court of Appeal ruled that legal advice prepared to advise a government institution as to how it should respond to a request for access to information cannot be examined by the Information Commissioner unless absolutely necessary for the Commissioner to complete their investigation. In the court’s view, Parliament did not intend that a government institution be without the benefit of legal advice, provided in confidence, in deciding how to properly respond to an information request. The court held that subsection 36(2) of the ATIA, which is the equivalent of subsection 34(2) of the Privacy Act, must be interpreted restrictively in order to allow access to privileged information only where absolutely necessary to the statutory power exercised.

    On rare occasions, the Commissioner, or persons working on behalf or under the direction of the Commissioner (usually an investigator), may request to examine such legal advice. Before this information is provided to the Commissioner, it is essential that the institution’s legal advisors be consulted to determine if the Commissioner’s request falls within the “absolutely necessary” test set out by the Federal Court of Appeal in the above‑mentioned decision and, if it does, to take measures to prevent the disclosure to the Commissioner from resulting in a waiver of the solicitor‑client privilege.

    Records excluded under subsection 70(1)

    As stated in subsection 34(2) of the Act, the Privacy Commissioner cannot, during the investigation of any complaint under the Act, examine a confidence of the King’s Privy Council for Canada, to which subsection 70(1) applies. Under subsections 4.2.26 and 4.2.27 of the Policy on Privacy Protection, institutions, upon the request of the Privacy Commissioner, must acquire assurances from the their legal counsel, that excluded information is a confidence of the King’s Privy Council for Canada in compliance with established procedures.

    Records in a minister’s office

    In Canada (Information Commissioner) v. Canada (Minister of National Defence), 2011 SCC 25, [2011] 2 S.C.R. 306 (commonly known as the Prime Minister’s Agenda case), the Supreme Court of Canada clarified the notion of control for records held in a minister’s office. This decision also applies to the Privacy Act. The Supreme Court of Canada confirmed that the office of a minister is not part of the department over which the minister presides and that records held exclusively in a minister’s office are generally not subject to the Act. However, a document held exclusively in a minister’s office could be deemed to be under the control of a government institution if the following two‑step test is satisfied:

    1. Do the contents of the record relate to a departmental matter?
    2. If so, could a senior official of the government institution reasonably expect to obtain a copy of the record upon request?

    The next factors to be considered are as follows:

    • the substantive content of the record
    • the circumstances in which it was created
    • the legal relationship between the government institution and the record holder

    The Supreme Court of Canada stressed that:

    • there is no presumption of inaccessibility for records in a minister’s office
    • the “test does not lead to the wholesale hiding of records in ministerial offices”

    The OPC may, in the course of its investigation, ask to see the records in a minister’s office to determine whether the records are under the control of the government institution. Should an ATIP Office receive such a request, it should tell the OPC to communicate directly with the minister’s office.

    The Privacy Commissioner does not have the power to enter a minister’s office. However, the Commissioner does have significant powers of investigation. Those powers include the authority to:

    • summon the appearance of witnesses, including ministers and exempt staff
    • compel those persons to give evidence under oath
    • compel them to produce such documents and things as the Commissioner deems requisite to the full investigation of the complaint

    12.2.4 Confidentiality orders

    Section 32 of the Act gives the Privacy Commissioner discretion to issue confidentiality orders to witnesses during the investigation of a complaint. However, the courts have cautioned that, generally speaking, confidentiality orders may not be overbroad and must impair the witnesses’ freedom of expression as little as possible.

    The following two decisions deal with section 34 of the ATIA, which is the equivalent of section 32 of the Privacy Act.

    In Canada (Attorney General) v. Canada (Information Commissioner), 2004 FC 431, the Federal Court concluded that the Information Commissioner does have the authority to issue confidentiality orders, but noted:

    any blanket regime which precludes a person from communicating for all time any information touching upon their testimony and appearance before the Commissioner would infringe that person’s right to free expression guaranteed by subsection 2(b) of the Charter in a fashion that could not be justified under section 1.

    The Federal Court also stated the following:

    to the extent confidentiality orders restricted communication in circumstances where there was no reasonable concern that such communication would impair the investigation or would result in the improper disclosure of confidential information, the orders were, in my view, an impermissible restriction on the witnesses’ freedom of expression.

    In Canada (Attorney General) v. Canada (Information Commissioner), 2007 FC 1024, which affirmed 2008 FCA 321, the Federal Court examined the appropriateness of confidentiality orders issued by the Office of the Information Commissioner to witnesses and counsel representing witnesses. The first set of orders directed witnesses not to disclose the questions asked, answers given, and exhibits used by the witness “until the taking of evidence by the Deputy Information Commissioner from other employees of Indian and Northern Affairs Canada is complete, except to [their] counsel.” The second set of orders directed counsel for those witnesses not to disclose “the questions asked, answers given and exhibits used…during [the witness] testimony…except on the lawful instruction of [the witness].” The Federal Court dismissed the application for judicial review, stating that the confidentiality orders went no further than required to:

    1. enhance the truth finding function of the Commissioner’s investigation, which investigation is conducted in furtherance of the quasi‑constitutional right of access
    2. maintain the integrity of the investigation
    3. ensure that a witness’s testimony would not be tainted by knowledge of the evidence given by another witness
    4. maintain the ex parte nature of the investigation, which investigation has to be independent of government pursuant to Parliament’s specific intent prescribed in the Act
    5. address the uniqueness of the multiple representations by counsel from the Department of Justice Canada
    6. maintain the private nature of the investigation and ensure the protection of any specific confidential information

    12.2.5 Investigations in private

    Under section 33 of the Act, all investigations by the Commissioner must be conducted in private, and no party is entitled as of right to be present during, to have access to, or to comment on representations made by another party involved in the complaint. The private and confidential nature of investigations encourages complainants, witnesses and government institutions to participate in investigations and is an important part of the statutory scheme.

    Further security and confidentiality requirements

    Section 62 provides that the Privacy Commissioner and persons acting on their behalf who receive or obtain information relating to an investigation must, with respect to access to and the use of that information, satisfy the security requirements and take any oath of secrecy required of persons who normally have access to and use of that information.

    Section 63 prohibits the Privacy Commissioner and those acting on their behalf from disclosing any information that comes to their knowledge in the performance of their duties. In addition, pursuant to section 65 of the Act, they must take every reasonable precaution to avoid the disclosure of, and shall not disclose, information that the head of a government institution would be authorized to refuse to disclose, or any information regarding whether personal information exists where the head of a government institution has not indicated whether it exists.

    However, section 64 of the Act provides that the Privacy Commissioner may disclose, or may authorize any person acting on their behalf to disclose, information that, in the opinion of the Commissioner, is necessary to:

    • carry out an investigation under the Act or establish the grounds for findings and recommendations contained in any report under the Act; or
    • in the course of a prosecution for an offence under the Act, a prosecution for an offence under section 131 of the Criminal Code (perjury) in respect of a statement made under the Act, a review before the court under the Act or Part 1 of the ATIA, or an appeal from a review of that court.

    With respect to disclosure of offences, the Privacy Commissioner may disclose:

    • to the Attorney General of Canada information relating to the commission of an offence by a director, officer or employee of a government institution if, in the Commissioner’s opinion, there is evidence of such an offence
    • information concerning the Commissioner’s activities under subsection 37(1) to the National Security and Intelligence Review Agency, to the extent the Commissioner or person acting on their behalf considers it necessary for the two agencies to coordinate their activities to avoid any unnecessary duplication of work

    Section 66 of the Act provides that the Commissioner and those acting on their behalf are not competent or compellable witnesses in respect of a matter coming to their knowledge as a result of performing duties or functions under the Act. The exceptions are in cases of prosecutions for offences under the Act or for perjury, and with respect to judicial review proceedings in Federal Court under the Act and appeals resulting from these reviews.

    12.2.6 Use of evidence in other proceedings

    Under subsection 34(3), evidence given by a person in proceedings under the Act is not admissible as evidence against that person in a court or any other proceeding except in a prosecution for an offence under section 131 of the Criminal Code (perjury), in a prosecution for an offence under the Act, in a review before the court under the Act, or in an appeal resulting from such review.

    12.2.7 Return of documents

    Under subsection 34(5), the Privacy Commissioner has 10 days in which to return any documents produced by a government institution for examination, if the institution requests their return. The Commissioner can, however, compel the production of any document again if it is deemed necessary to an investigation.

    In Canada (Attorney General) v. Canada (Information Commissioner), 2004 FC 431 (revised on other grounds in Canada (Attorney General) v. Canada (Information Commissioner), 2005 FCA 199, the Federal Court confirmed that the equivalent provision under the ATIA did not preclude the Office of the Information Commissioner from making copies of the documents it obtained during its investigation. Furthermore, the obligation to return documents did not apply to copies made, but only to the actual versions produced to the Office of the Information Commissioner.

    12.2.8 Specific cases: Investigation of deemed refusals

    Deemed refusals are discussed in detail in section 7.3 of this manual. If a federal institution does not grant access within a set period of time, the OPC considers that there is “deemed refusal” of access. All deemed refusals must be investigated by the Privacy Commissioner and a report completed before an application to the Federal Court may be made for judicial review. The deemed refusal process has had the effect of encouraging institutions to respond to access requests in a more reasonable timeframe and empowering complainants with the right to pursue a matter in Federal Court when they do not.

    12.3 Findings and recommendations

    12.3.1 Standard approach to findings

    Subsection 35(1) of the Act provides that, when the Privacy Commissioner has investigated a complaint and finds that it is well founded, the Commissioner must provide a report to the head of the government institution that has the personal information under its control containing the findings of the investigation and any recommendations resulting from it.

    Where appropriate, such a report can include a request for a response from the institution within a specified time, regarding any action taken or proposed to be taken by the institution, to implement the recommendations made in the report. If the institution does not plan to act on the recommendations, the report can request reasons for this decision. In indicating remedial action, institutions should set out the action taken or to be taken, and by what date it will be completed, and then proceed accordingly.

    In practice, reports are sometimes sent to the head of the institution’s delegate.

    A similar process applies where the Privacy Commissioner initiates a complaint and finds that a contravention of the Act occurred.

    Subsection 35(2) of the Act requires that the Privacy Commissioner report to the complainant concerning the results of their investigation.

    When the Privacy Commissioner requests a response to their recommendations, the Commissioner must not report to the complainant until the timeframe specified to provide a response has expired. Pursuant to subsection 35(3), the Commissioner shall advise the complainant in the report if no response was received or if the action proposed in the response is, in the opinion of the Commissioner, inadequate, inappropriate, or will not be taken in a reasonable time. The Commissioner may also include in such report any comments they see fit on the matter.

    Under subsection 35(4) of the Act, when an institution notifies the Privacy Commissioner that access to personal information will be given to the requester as recommended by the Commissioner, the institution will need to promptly give access. Similarly, if an institution notifies the Commissioner that it will take action to meet any other recommendation of the Commissioner (for example, in relation to time extensions and language of access), it must carry out the remedial action in the time specified.

    The Commissioner can recommend that a complainant be given access to personal information but cannot order the government institution to provide access. If, following an investigation relating to a refusal of access, access is not given to the complainant, the Commissioner must, pursuant to subsection 35(5) of the Act, advise the complainant of their right to apply to the Federal Court for a review of the matter investigated.

    In the event that the head of a government institution does not comply with their recommendations the Commissioner can report to Parliament in accordance with section 39 of the Act. This may be done at any time, either in an annual report or in a special report, when the Privacy Commissioner considers the matter involved is of such urgency or importance that a report should not be deferred until the time provided for the next annual report of the Commissioner under section 38.

    12.3.2 Early resolution

    The OPC is endeavouring to ensure that complaints of a non‑systemic nature are resolved as efficiently and effectively as possible. Early resolution, a negotiated or mediated investigative approach, is generally the optimal outcome for the parties involved. In such cases, the OPC does not issue a finding, so no recourse to the Federal Court is available to the parties.

    The OPC has also made a practice of issuing summary investigation reports which are shortened investigations that conclude with the issuance of a brief report or letter of findings. In these instances, the parties would continue to have recourse to the Federal Court as per 12.4 below.

    12.4 Review by the Federal Court (sections 41 to 52)

    The requester or the Privacy Commissioner may apply to the Federal Court of Canada for a review of a refusal of access as follows:

    • Under section 41 of the Act, a requester who has not obtained access to personal information requested pursuant to subsection 12(1) may apply to the Federal Court for a review of the matter within 45 days after the Privacy Commissioner has reported the results of the investigation to the complainant, or within any further time allowed by the court.
    • The Privacy Commissioner may apply under paragraph 42(a) for a review of a refusal to provide access to personal information in respect of which an investigation has been carried out, provided the Commissioner first obtains the consent of the person who requested access to the information.

    The Federal Court may review a refusal of the head of a government institution to disclose personal information requested under the Act, including situations involving deemed refusals. It should be noted that the Act does not provide for review by the court of matters other than denial of access (the sole exception is under subsection 16(3), when exceeding a time limit is deemed to be a denial of access).

    In cases where the Commissioner has determined that there has been a deemed refusal, a section 41 application may be limited in scope since the Commissioner will generally have not looked into the application of any exemptions. In Statham v. Canadian Broadcasting Corporation, 2010 FCA 315, the Federal Court of Appeal stated that, in an application under section 41 of the ATIA

    “the Court cannot rule upon the application of any exemption or exclusion claimed under the Act if the Commissioner has not investigated and reported upon the claim to the exemption or exclusion.”

    Similarly, in Canada (Public Safety and Emergency Preparedness) v. Gregory, 2021 FCA 33, the Federal Court of Appeal reiterated there must be a report from the Privacy Commissioner on the validity of a government institution’s exemption claim before the Federal Court may order the disclosure of the personal information in question. The Federal Court of Appeal, citing Blank v. Canada (Justice), 2016 FCA 189, noted that

    “[t]he independent review of complaints by the Commissioner is a cornerstone of the statutory scheme put in place by Parliament, and the Federal Court is entitled to the considerable expertise and knowledge of that officer of Parliament before reviewing the government’s assertions of exemptions and redactions of documents.”

    The Federal Court of Appeal also noted that there is no deadline in the Privacy Act for making a new complaint to the Privacy Commissioner about an exemption claim made subsequent to a deemed refusal. Once the Privacy Commissioner has issued a report on such a complaint, a requester will be in a position to obtain relief before the Federal Court if required.

    12.4.1 Notification of application to the Federal Court

    If a government institution is represented before the Federal Court by someone other than the Department of Justice Canada, the institution should inform the Department of Justice Canada.

    12.4.2 Right to appear as a party

    In addition to the right to apply to the Federal Court with the consent of the requester, in accordance with paragraphs 42(b) and (c) of the Act, the Privacy Commissioner may appear before the Court on behalf of a requester who has applied for a review under section 41 of the Act or, with leave of the Court, appear as a party to any review under section 41.

    12.4.3 Court process

    Sections 44 to 52 of the Act describe the process to be followed by the Federal Court. Institutions should consult their legal counsel concerning any questions related to the court process.

    12.4.4 Evidence to be provided to the Court

    In Leahy v. Canada (Citizenship and Immigration), 2012 FCA 227, the Federal Court of Appeal found that Immigration, Refugees and Citizenship Canada had failed to provide an evidentiary basis sufficient to permit a reviewing court to discharge its role. In a postscript, the Federal Court of Appeal provided guidance on how decision letters by institutions refusing access might be drafted to provide to provide sufficient information to a reviewing court. The Federal Court of Appeal indicated that this could be achieved by ensuring that there is information in the decision letter or in the court record that sets out the following:

    1. who decided the matter
    2. their authority to decide the matter
    3. whether that person decided both the issue of the applicability of exemptions and the issue of whether the information should, as a matter of discretion, nevertheless be released
    4. the criteria that were taken into account; and whether those criteria were or were not met and why

    12.4.5 Appeal

    Either party may appeal Federal Court decisions to the Federal Court of Appeal and, ultimately, seek permission to appeal to the Supreme Court of Canada.

  • Chapter 13 – Offences and Protection from Civil Proceedings or Prosecution

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    This chapter explains the offence of obstructing the Privacy Commissioner, the protection from civil proceedings or prosecutions, and the inadmissibility of evidence given during the complaint process.

    13.1 Section 68: obstructing the Privacy Commissioner

    Under section 68 of the Privacy Act (the Act), any person who obstructs the Privacy Commissioner or any person acting on behalf or under the direction of the Commissioner in the performance of the Commissioner’s duties and functions under the Act is guilty of an offence and liable, upon summary conviction, to a fine not to exceed $1,000. To date, no individual has been fined under section 68.

    13.2 Protection from civil proceedings or prosecution

    Notwithstanding any other Act of Parliament, under section 74 of the Act, the head of a government institution and any person acting on behalf or under the direction of the head are provided with protection from civil or criminal proceedings, and the Crown or any government institution are provided with protection from any proceedings, in relation to the following:

    • disclosure in good faith of any personal information pursuant to the Act
    • any consequences that flow from that disclosure, or
    • failure to give any notice required under the Act if reasonable care is taken to give the required notice.

    Section 74 was specifically considered in Gauthier v. Canada (Minister of Consumer and Corporate Affairs) (1992) 58 F.T.R. 161.Footnote 1 The Federal Court indicated that the Privacy Act was structured to provide a right of judicial review with respect to denials of access to information. However, it noted that “the [Privacy] Act expressly precludes the complainants starting a regular action for damages based on negligence.” In Canada v. John Doe, 2016 FCA 191, the Federal Court of Appeal noted that disclosures that are protected are those made under the Act. These would include a response to a personal information request. Section 74 does not necessarily apply to an action that is not based on the Act.

    Nevertheless, section 74 should not be taken to create an absolute immunity. Institutions should consult their own legal services for more information.

    13.3 Jurisdiction of the Court pursuant to section 41

    Section 41 of the Act engages the Federal Court in review de novoFootnote 2 for refusals to disclose personal information pursuant to subsection 12(1) of the Act. In order for an individual to avail themselves of this right, section 41 requires that a complaint first be made and investigated by the Privacy Commissioner. This was reiterated in Cumming v. Canada (Royal Mounted Police), 2020 FC 271. As was noted in the Federal Court decision Connolly v. Canada Post Corporation (2000), 197 FTR 161, aff’d 2002 FCA 50, the only remedy that the Federal Court can order is found at sections 48 and 49 of the Act and consists of ordering disclosure where it has been refused contrary to the Act.

    Other decisions of the Federal Court with a similar conclusion include Murdoch v. Royal Canadian Mounted Police, 2005 FC 420, Lavigne v. Canada (Canadian Human Rights Commission), 2011 FC 290, Frezza v. Canada (National Defence), 2014 FC 32, and Canada (Public Safety and Emergency Preparedness) v. Gregory, 2021 FCA 33.

    13.4 Inadmissibility of evidence given during the complaint process

    Subsection 34(3) of the Act provides that evidence given in the course of an investigation by an employee of a government institution or by any other person involved in the complaint is not admissible as evidence against the employee or person in a court or any other proceeding except in the following circumstances:

    • in a prosecution for an offence under section 131 of the Criminal Code (perjury) in respect of a statement made under the Act
    • in a prosecution for an offence under section 68 of the Act (obstruction)
    • in a review before the Federal Court under the Act, or in an appeal resulting from such review

    Although there is a presumption of truthfulness, employees can and will be called upon to demonstrate and justify their statements and evidence under oath in the above-mentioned circumstances. The institution’s legal services or other legal representation can help guide them through the proceedings.

    Evidence given in the course of an investigation by the Privacy Commissioner under the Act would not be admissible in any proceedings other than those listed above.

  • Chapter 14 – Monitoring and Reporting

    Date updated: 2023-09-20
    ATI Manual Cross-reference

    14.1 Annual Reports

    Section 72 of the Privacy Act (the Act) requires the head of every government institution to prepare an annual report on the administration of the Act within their institution during the period between April 1 of the preceding year and ending on March 31 of the current year. The report must be tabled before the Senate and the House of Commons on any of the first 15 days on which that House is sitting after September 1 of the year in which the report is prepared.

    Institutions must prepare separate and distinct annual reports for the Access to Information Act and for the Privacy Act in accordance with the instructions issued annually by the Access to Information Policy and Performance Division of the Treasury Board of Canada Secretariat (TBS) as per 4.2.32 of the Policy on Privacy Protection (the Policy). However, both reports may be filed under the same cover.

    Annual reports are intended to ensure accountability for the actions and decisions of institutions in their administration of the Act. All annual reports are referred to the permanent committee designated by Parliament to review the administration of the Act. Institutions may be invited to appear before the committee to explain their performance in responding to personal information requests.

    Institutions must provide an electronic copy of their annual report in both official languages to TBS and the Privacy Commissioner, as required by section 4.2.33 of the Policy.

    The information contained in the reports is included in an aggregate report prepared by TBS that provides a government‑wide perspective on the administration of the Access to Information Act and the Privacy Act.

    Under Sections 38 and 39 of the Act, the Privacy Commissioner of Canada also prepares an Annual Report to Parliament on the activities of their office during that financial year and may make special reports to Parliament.

    14.2 Statistical Reports

    In addition, government institutions submit annual statistical reports on the administration of the Act and its supporting regulations to TBS. These statistical reports are also included in the annual report of the institution. Completed statistical reports (Form for the Statistical Report on the Access to Information Act (TBS/SCT 350-62) and Form for the Statistical Report on the Privacy Act (TBS/SCT 350-63)) must be included in each institution’s annual reports.

    Institutions must provide their statistical report with their annual report to TBS, as required by section 4.2.34 of the Policy.

    TBS establishes definitions and issues specific directions annually to institutions on how to compile the annual and statistical reports. Because of the unique experiences of institutions, no single format can serve the needs of all government institutions. Therefore, although the reporting requirements identified by TBS must be addressed, institutions may structure their annual and statistical reports as they deem appropriate and add information to reflect their particular accomplishments and challenges.

    To promote accessibility and transparency, institutions must publish their annual reports on their websites.

    14.3 Monitoring Policy Compliance

    Heads of institutions or their delegates are responsible for monitoring the institution’s compliance with the Policy and its supporting instruments, as per 4.2.29 of the Policy and 4.1.37 of the Directive on Personal Information Requests and Correction of Personal Information (the Directive). Should they determine that there is a policy compliance issue, they must take appropriate remedial action to address the issue, as per 4.2.30 of the Policy, and advise TBS of any significant issues on a timely basis, as per 4.2.31 of the Policy.

    14.4 Monitoring for Frequently Requested Information

    While personal information requests should always be a means for an individual to access their personal information held by a government institution, there may be other avenues which could be made available to government program recipients. Heads of institution or their delegates are responsible for considering other means of making government information accessible. As per 4.2.28 of the Policy and 4.1.36 of the Directive, institutions should review the nature of requests received and assess the feasibility of making frequently requested types of information available by other means. This could include offering new client service portals or automated emails to applicants during the processing of applications. Effective communications could help to either reduce the number of personal information requests or refine the type of information that requesters seek.

  • Appendix A – Model letters

    Current as of 2024-12-09
    ATI Manual cross-reference

    The following model letters are provided to help institutions correspond with requesters and other institutions in the processing of personal information requests. The letters are a general guide and can be modified to suit the circumstances of each request and conform to requirements set out in the Privacy Act and the Directive on Personal Information Requests and Correction of Personal Information for notifications to requesters. Square brackets have been used to show where information should be inserted.

    The letters are as follows:

    Acknowledgement and clarification

    Model letter 1 – Acknowledgment of request

    Our file: [file number]

    Dear [requester’s name]:

    This is to acknowledge that our institution received your request dated [date of request] on [date received]. You are asking for the following information under the Privacy Act:

    [full text of request]

    [Institution’s name] is committed to assisting you with your request. We will make every reasonable effort to get you a complete, accurate and timely response. We will follow the Principles for Assisting Requesters when processing your request.

    Section 14 of the Privacy Act requires us to respond to your request within 30 days. We are currently searching our records and will inform you of the status of your request on [due date].

    There are circumstances under which the time limit may be extended under the Privacy Act. We will notify you if a time extension is required. We’ve attached an information sheet that explains when this might occur.

    You are entitled to complain to the Privacy Commissioner of Canada about the processing of your request. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions or concerns, contact [name of ATIP Officer] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachments: Principles for Assisting Requesters; Extension of time limits

    Model letter 2 – Notification of incomplete request (clarification/identification required)

    Our file: [file number]

    Dear [requester’s name]:

    This is to acknowledge that our institution received your request dated [date of request] on [date received]. You are asking for the following information, under the Privacy Act:

    [full text of request]

    We need clarification(s) to process your request.

    [choose relevant paragraphs – clarification]

    • Before searching our records, we need clarification about the personal information you are looking for. What do you mean by...?
    • We need additional information on the type of records you believe [name of institution] might have on...
    • The wording of your request does not clearly state what personal information you are looking for. We need more information to enable an experienced employee of the institution to identify the relevant records with a reasonable effort. Therefore, to help you exercise your right of access, please clarify or rephrase your request and specify which documents you are looking for.
    • Your letter includes several questions. Subsection 13(2) of the Privacy Act states that a request for personal information must provide sufficiently specific information on the location of the personal information to make it reasonably retrievable. It is more difficult to identify records based on a series of questions. Note that we will not create a new document or record in order to respond to a request. Therefore, to help you exercise your right of access, please clarify or rephrase your request and specify which documents you are looking for.
    • Your request is worded very broadly and involves a large number of records. Searching for and preparing a response to your request would be unreasonably time-consuming. To help us process your request faster, please refine the subject of your request, the specific types of records of interest and the time period for which records are being requested.
    • To help you exercise your right of access, please clarify or rephrase your request and specify which documents you are looking for.

    We will begin processing your request after we receive clarification from you. If we have not received your reply by [date the response is due], we will consider the request abandoned and close our file accordingly.

    [AND / OR]

    You have not provided adequate identification, as required by subsection 8(2) of the Privacy Regulations. The Government of Canada takes privacy very seriously. We must ensure that you are the person that the requested personal information is about, or the agent of that person. You must provide adequate identification to prove this.

    We will begin processing your request after we receive adequate identification. [Insert information about the type of identification required to meet the requirements set out by your institution].

    If we do not receive a response by [set timeline specified by the institution], we will consider your request abandoned. You may resubmit a personal information request at a later date with additional information to identify yourself if you do not respond to us within this timeline. 

    You are entitled to complain to the Privacy Commissioner of Canada about the processing of your request. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1-800-282-1376.

    If you want to discuss your request or if you have any questions, contact [name of ATIP Officer] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Model letter 3 – Confirmation that request is considered complete

    Our file: [file number]

    Dear [requester’s name]:

    This is to confirm that we received clarification for the personal information you are looking for on [date of clarification]. Your request has been updated as follows:

    [OR]

    This is to confirm that, based on your telephone conversation with [name of ATIP Officer] on [date], your request has been updated as follows:

    [text of amended request]

    [AND/OR]

    This is to confirm that we received adequate identification from you on [date of receipt of ID].

    Your request is now complete and we are searching our records for the information. The due date for a response to your request is [insert date]. If you have any questions, contact [name of ATIP Officer] at [insert contact information].

    We will follow the Principles for Assisting Requesters when processing your request. We have attached an information sheet that explains when and why the time limit may be extended under the Privacy Act. We will notify you if a time extension is required.

    You are entitled to complain to the Privacy Commissioner of Canada about the processing of your request. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    Sincerely,

    [Coordinator’s name and title]

    Attachments: Principles for Assisting Requesters; Extension of time limits

    Model letter 4 – Notification of extension pursuant to section 15 of the Privacy Act

    Our file: [file number]

    Dear [requester’s name]:

    This is in response to your request submitted under the Privacy Act on [insert date] for the following: [insert text of request]

    [Insert written explanation(s) that are applicable:]

    Circumstances Proposed written explanation Provision of the Privacy Act

    Further review is required to determine whether information should be exempted under sections 18–28 of the Privacy Act.

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because the records containing your personal information also include other sensitive information. We will need to review the records to protect the privacy of others and to protect other information that cannot be released.

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    There is a large volume of pages related to the request

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request due to the volume of records associated with your request. We will need to locate, retrieve and review a large number of records.

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    The institution is experiencing a large volume of requests

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request due to the high volume of requests currently being processed by our institution.

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    The documents are difficult to obtain

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request as some of the records you requested are currently difficult to obtain because [records have been archived, records are in storage, records are not available electronically, records are stored in backup tapes, we will need to compile records from multiple locations, or your request covers a significant time period].

    This extension is in accordance with subparagraph 15(a)(i) of the Privacy Act. The extension is necessary because meeting the original time limit would unreasonably interfere with the operations of the institution.

    15(a)(i)

    The request requires significant consultations with external organizations

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because we need to consult with external organizations such as provincial or territorial governments.

    This extension is in accordance with subparagraph 15(a)(ii) of the Privacy Act.

    15(a)(ii)

    The request requires significant consultations within the institution or with other federal institutions

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because we need to consult within our institution or with other federal institutions.

    This extension is in accordance with subparagraph 15(a)(ii) of the Privacy Act.

    15(a)(ii)

    The request requires translation or conversion

    We will require additional time beyond the initial 30 days specified in the Privacy Act to respond to your request because we need to translate the records you requested or convert the records into another format in order to make it easier for you to access your personal information.

    This extension is in accordance with paragraph 15(b) of the Privacy Act.

    15(b)

    You are entitled to complain to the Privacy Commissioner of Canada about the processing of your request. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [name of ATIP Officer] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Consultations

    Model letter 5 – Internal consultation

    Our file: [file number]

    Dear [Consultees name]:

    We have received a request under the Privacy Act to obtain [summary of request].

    I have attached copies of records relevant to the request. I believe that the following pages may be released to the requester: [list page numbers].

    However, pages [list page numbers] should be exempted in whole or in part pursuant to sections [provisions that apply] of the Privacy Act, as shown on the attached copies.

    Please review the documents and provide your recommendations regarding their disclosure. If you do not agree with our preliminary assessment, please explain why, citing any exemption that you feel may apply under the Privacy Act.

    In order to meet our statutory obligation, a reply is needed by [date response is due]. If you have any questions, contact me at [telephone number] or by email at [e-mail address].

    Sincerely,

    [Coordinator’s name and title]

    Attachments

    Model letter 6 – Consultation with another institution

    Our file: [file number]

    Dear [Consultees name]:

    We have received a request under the Privacy Act to obtain [summary of request].

    I have attached the records that are relevant to the request and are of interest to your institution. I believe that the following pages may be released to the requester: [page numbers].

    However, pages [page numbers] are exempted in whole or in part pursuant to [applicable provisions] of the Privacy Act, as shown on the attached copies.

    Please review the documents and provide your recommendations regarding their disclosure. If you do not agree with our preliminary assessment, please explain why, citing any exemption that you feel may apply under the Privacy Act.

    In order to meet our statutory obligation, a reply is needed by [due date]. If you would like to discuss this matter, contact me at [telephone number] or by email at [e-mail address].

    Thank you for your attention to this matter.

    Sincerely,

    [Coordinator’s name and title]

    Attachments

    Model letter 7 – Consultation with another government concerning the application of subsection 19(1)

    Our file: [file number]

    Dear [Coordinator’s name]:

    We have received a request under the Privacy Act to obtain [summary of request].

    In processing the request, we have located the attached records [specify: originating from OR of interest to] [name of department or ministry] that we believe are relevant to the request.

    We believe these records are of interest to you. Although they might contain personal information described under subsection 19(1) of the Act, the records may be disclosed if consent is obtained to release them. 

    Section 19 of the Privacy Act provides that personal information obtained in confidence from another government will be released only with clear consent. The Act reads as follows:

    • 19(1) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from
    • (2) The head of a government institution may disclose any personal information requested under subsection 12(1) that was obtained from any government, organization or institution described in subsection (1) if the government, organization or institution from which the information was obtained
      • (a) consents to disclosure; or
      • (b) makes the information public.

    We would be grateful if you could review the attached and inform us of whether or not you consent to the disclosure.

    A response by [date] would be greatly appreciated so that we can meet our statutory deadline. If you have any questions, contact me at [telephone number] or by email at [e-mail address].

    Sincerely,

    [Officer’s name and title]

    Attachments

    Model letter 8 – Response to consultations from other institutions

    Our file: [file number]

    Your file number: [file number]

    Dear [Coordinator’s name]:

    This is in reply to your consultation request dated [insert] concerning a request you are processing pursuant to the Privacy Act for:

    [insert information]

    [If no exemptions:] We have completed the review of the record(s) and have no objections to the release of the documents.

    [OR]

    [If exemptions:] You forwarded us [insert] pages for our review and sought our recommendations on whether the documents could be released or should be exempted from disclosure, either in part or in their entirety.

    We have completed the review of the documents(s) and recommend that the information be severed as outlined in the attachment pursuant to [insert information].

    Thank you for providing us with the opportunity to comment on the disclosure of this personal information. If you have any questions concerning our response, or if you do not agree with the recommendation, contact [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachments

    Responses to Requesters

    Model letter 9 – Response to requester - no responsive records

    Our file: [file number]

    Dear [requester’s name]:

    This is in response to the request you submitted under the Privacy Act on [insert date] for the following:

    [insert information]

    I am writing to inform you that a thorough search of the records under the control of [name of the institution] has revealed no records relating to the subject of your request.

    This completes our processing of your request. If you have any questions or concerns, contact [name of ATIP Officer] at [Officer’s telephone number] or by email at [Officer’s e-mail address].

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    Sincerely,

    [Coordinator’s name and title]

    Model letter 10 – Response to requester - records destroyed pursuant to retention policy

    Our file: [file number]

    Dear [requester’s name]:

    This is in response to the request you submitted under the Privacy Act on [insert date] for the following:

    [insert information]

    After a thorough search of our information holdings, I am writing to inform you that the record(s) that you requested was/were destroyed pursuant to our policy on the retention and disposal of information.

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Model letter 11 – Response to requester - full disclosure

    Our file: [file number]

    Dear [requester’s name]:

    This is in response to the request you submitted under the Privacy Act on [insert date] for the following:

    [insert information]

    [If documents are attached:] I am pleased to attach all the documents relevant to your request, which are disclosed in their entirety under the authority of the Privacy Act.

    [If requester asked to view the documents:] I am pleased to provide access to the documents relevant to your request, which are disclosed in their entirety under the authority of the Privacy Act.

    You requested an opportunity to examine the documents rather than receive copies. I invite you to examine the documents at [place and address] on [date] at [time]. If you are unable to examine the documents at that time, contact [name and email address] to make alternate arrangements.

    [If the documents cannot be copied:] I am pleased to provide access to the documents relevant to your request, which are disclosed in their entirety under the authority of the Privacy Act. Unfortunately, the documents cannot be copied because [provide reason].

    I invite you to examine the original documents at [place and address] on [date] at [time]. If you are unable to examine the documents at that time, contact [name and email address] to make alternate arrangements.

    You also have the right to request the correction of any errors or omissions that you believe exist in any of the attached personal information.

    To request corrections, complete the Record Correction Request Form and return it to this office, along with documentary evidence supporting the correction. If your request for correction is not accepted for any reason, a notation will be attached to your file about the error or omission that you believe it contains.

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    This completes our processing of your request. If you have any questions about your request or the Privacy Act, you can contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachments

    Model letter 12 – Response to requester - partial disclosure (non-personal information)

    Our file: [file number]

    Dear [requester’s name]:

    This is in response to the request you submitted under the Privacy Act on [insert date] for the following:

    [insert information]

    Attached is a copy of the personal information you are entitled to receive.

    Some portions of the material are “non-personal information” and are not being disclosed to you. These portions are identified by a 12(1) marking. This marking means that the information is not personal in nature and, as such, does not meet the requirements of subsection 12(1) of the Privacy Act, which states:

    • Right of Access
    • 12(1) Subject to this Act, every individual who is a Canadian citizen or a permanent resident within the meaning of subjection 2(1) of the Immigration and Refugee Protection Act has a right to and shall, on request, be given access to
    • (a) any personal information about the individual contained in a personal information bank; and
    • (b) any other personal information about the individual under the control of a government institution with respect to which the individual is able to provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution.

    You also have the right to request the correction of any errors or omissions that you believe exist in any of the attached personal information.

    To request corrections, complete the Record Correction Request Form and return it to this office, along with documentary evidence supporting the correction. If your request for correction is not accepted for any reason, a notation will be attached to your file about the error or omission that you believe it contains.

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachments

    Model letter 13 – Response to requester - partial disclosure (pending consultation)

    Our file: [file number]

    Dear [requester’s name]:

    This is in response to the request you submitted under the Privacy Act on [insert date] for the following:

    [insert information]

    [Choose one of the following texts:]

    • We have attached copies of some of the documents you requested under the Privacy Act. Some of the personal information qualifies for exemption under section(s) [insert] of the Act. For more information on the application of this(ese) provision(s), please review the Privacy Act: Plain Language Guide to Exemptions and Exclusions.
    • We must consult with [other government institutions and/or external organizations] about the disclosure of the remaining documents. We will contact you again when we receive the response from the other [institution(s)/organization(s)].
      [OR]
    • Unfortunately, at this time we are unable to provide you with documents in response to your request because we must consult with [other government institutions and/or external organizations] about disclosing the documents. We will contact you again when we receive the response from the other [institution(s)/organization(s)].

    [If documents are being provided] You also have the right to request the correction of any errors or omissions that you believe exist in any of the attached personal information.

    To request corrections, complete the Record Correction Request Form and return it to this office, along with documentary evidence supporting the correction. If your request for correction is not accepted for any reason, a notation will be attached to your file about the error or omission that you believe it contains.

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachments: Plain Language Guide

    Model letter 14 – Response to requester - partial exclusion or exemption

    Our file: [file number]

    Dear [requester’s name]:

    This is in response to the request you submitted under the Privacy Act on [insert date] for the following:

    [insert information]

    We have attached the personal information that we are releasing to you in response to your request.

    [If there are exclusions:] The following documents/portions of documents you requested cannot be released to you as they are specifically excluded from access under the Privacy Act by [cite section], which states that [quote act]:

    [list documents or portions]

    [If there are exemptions:] The following documents/portions of documents you requested are being withheld in accordance with the [note provision(s)] of the Privacy Act, which state(s) that [quote act]:

    [list documents or portions]

    For more information on this(ese) provision(s), review the Privacy Act: Plain Language Guide to Exemptions and Exclusions.

    If you believe that there is an error or omission in any of the personal information that you have received, you may request a correction by completing and returning the Record Correction Request Form to this office. If your request for correction is not accepted for any reason, a notation will be attached to your file regarding the error or omission that you believe it contains.

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachments: Plain Language Guide

    Model letter 15 – Response to requester – complete exemption

    Our file: [file number]

    Dear [requester’s name]:

    This is in response to the request you submitted under the Privacy Act on [insert date] for the following:

    [insert information]

    The personal information you requested is being withheld based on [section, paragraph, etc.] of the Privacy Act, which states:

    [quote Act]

    For more information on this(ese) provision(s), review the Privacy Act: Plain Language Guide to Exemptions and Exclusions.

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachment: Plain Language Guide

    Model letter 16 – Response to requester – complete exclusion

    Our file: [file number]

    Dear [requester’s name]:

    This is in response to the request you submitted under the Privacy Act on [insert date] for the following:

    [insert information]

    The personal information you requested cannot be disclosed to you. It is specifically excluded from access based on [section, paragraph, etc.] of the Privacy Act, which states:

    [quote Act]

    For more information on this(ese) provision(s), review the Privacy Act: Plain Language Guide to Exemptions and Exclusions.

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachment: Plain Language Guide

    Model letter 17 – Response to requester – refusal to acknowledge existence of personal information

    Our file: [file number]

    Dear [requester’s name]:

    This is in response to the request you submitted under the Privacy Act on [insert date] for the following:

    [insert information]

    Under subsection 16(2) of the Privacy Act, we will neither confirm nor deny the existence of the personal information you are looking for. If such personal information did exist, it would be exempted from access under [section, paragraph, etc.] of the Act, which states:

    [quote Act]

    For more information on this(ese) provision(s), review the Privacy Act: Plain Language Guide to Exemptions and Exclusions.

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions concerning your request or the Privacy Act, you can contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachments: Plain Language Guide

    Model letter 18 – Confirmation of abandonment of request

    Our file: [file number]

    Dear [requester’s name]:

    This is in response to the request you submitted under the Privacy Act on [insert date] for the following:

    [insert information]

    Since we have not heard from you in response to our letter dated [insert date], we are considering your request abandoned and will be closing your file with our office.

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Model letter 19 – Response to requester – cannot confirm identity

    Our file: [file number]

    Dear [requester’s name]:

    This is in response to the request you submitted under the Privacy Act on [insert date] for the following:

    [insert information]

    The personal information you requested cannot be disclosed to you under subsection 12(1) of the Privacy Act because you have not provided adequate identification, as required by subsection 8(2) of the Privacy Regulations.

    The Government of Canada takes privacy very seriously. We must ensure that you are the person that the requested personal information is about, or the agent of that person. You must provide adequate identification to prove this.

    You may resubmit a personal information request with additional information to identify yourself.

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Model letter 20 – Additional personal information to disclose to requester

    Our file: [file number]

    Dear [requester’s name]:

    This is further to our correspondence dated [insert] in response to the request you submitted under the Privacy Act for the following:

    [insert information]

    Additional documents have been found that respond to the above request. We have attached the supplementary records. [Choose either] These documents are being released in their entirety. [OR] Some of the information in the records qualifies for exemption under section(s) [insert] of the Privacy Act. We apologize for any confusion caused.

    For more information on this(ese) provision(s), review the Privacy Act: Plain Language Guide to Exemptions and Exclusions.

    You have the right to request the correction of any errors or omissions that you believe to exist in any of the attached personal information. To request corrections, complete the Record Correction Request Form and return it to this office, along with documentary evidence supporting the correction. If your request for correction is not accepted for any reason, a notation will be attached to your file about the error or omission that you believe it contains.

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachments: Plain Language Guide

    Corrections

    Model letter 21 – Response to requester – receipt of correction request

    Our file: [file number]

    Dear [requester’s name]:

    This is to acknowledge receipt of the correction request you submitted under the Privacy Act, received on [date], for the following correction:

    [insert information]

    We are reviewing your correction request and will advise you of its status within 30 days of its receipt.

    You are entitled to complain to the Privacy Commissioner of Canada about the processing of your request. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions, email us at [insert contact e-mail].

    Sincerely,

    [Coordinator’s name and title]

    Attachments

    Model letter 22 – Response to requester – correction of personal information

    Our file: [file number]

    Dear [requester’s name]:

    We received your request to correct your personal information under the Privacy Act by our [department / institution] on [insert date]. We have since corrected your record. A copy of the corrected record is attached to this letter.

    [If the incorrect personal information was disclosed to any other person or body, add:] Under paragraph 12(2)(c) of the Privacy Act, we have notified the institutions that we disclosed this personal information to within the last two years. Those institutions are:

    [List institutions]

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachments

    Model letter 23 – Response to requester – partial correction

    Our file: [file number]

    Dear [requester’s name]:

    We received your request to correct your personal information under the Privacy Act by our [department / institution] on [insert date].

    We have corrected portions of your personal information. We did not make all of the corrections you requested because [explain reason for partial correction]. A copy of the corrected record(s) is (are) attached to this notice.

    [If the incorrect personal information was disclosed to any other person or body, add:] Under paragraph 12(2)(c) of the Privacy Act, we have notified the institutions that we disclosed this personal information to within the last two years. Those institutions are:

    [List institutions]

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachments

    Model letter 24 – Response to requester – refusal of correction

    Our file: [file number]

    Dear [requester’s name]:

    We received your request to correct your personal information under the Privacy Act by our [department / institution] on [insert date]. We have refused your request because [explain reasons].

    Although your request for a correction has not been accepted, the correction you requested has been added to your record.

    If you believe the correction you requested was improperly denied, you are entitled to complain to the Privacy Commissioner of Canada. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions about your request or the Privacy Act, contact [insert name] at [insert contact information].

    Sincerely,

    [Coordinator’s name and title]

    Attachments

    Complaints

    Model letter 25 – Additional documents disclosed to requester further to a complaint

    Our file: [file number]

    Dear [requester’s name]:

    This is further to your request and subsequent complaint under the Privacy Act for the following:

    [insert information]

    As a result of the complaint you filed with the Privacy Commissioner of Canada, we have reconsidered the exemptions applied to the documents relevant to your request. We have decided that the following information may be disclosed:

    • Pages [page numbers] are disclosed in their entirety.
    • Pages [page numbers] are disclosed in part, portions being exempted under [exemption provision(s)] of the Privacy Act.

    We are maintaining the exemptions invoked for the remainder of the documents.

    For more information on this(ese) provision(s), review the Privacy Act: Plain Language Guide to Exemptions and Exclusions.

    You are entitled to complain to the Privacy Commissioner of Canada about how your request was processed. Information on how to file a complaint is available on the Office of the Privacy Commissioner of Canada website. You can also mail a complaint to their offices at 30 Victoria Street, Gatineau, Quebec K1A 1H3 or call their toll-free number at 1‑800‑282‑1376.

    If you have any questions or concerns about this letter, email [name of ATIP Officer] at [Officer’s e-mail address].

    Sincerely,

    [Coordinator’s name and title]

    Attachments: Plain Language Guide

    Informal response

    Model letter 26 – Responses to informal requests

    Our file: [file number]

    Dear [requester’s name]:

    [Choose relevant paragraphs:]

    • This is further to your informal request that we received on [date] to obtain [summary of request].
    • I am pleased to enclose the documents relevant to your request that may be disclosed.
    • I regret to inform you that a search of the records under the control of [name of the institution] has revealed none relating to the subject of your request.
    • I regret to inform you that the documents relevant to your request may not be disclosed.

    This completes our processing of your request. If you have any questions, email me at [Officer’s e-mail address].

    Sincerely,

    [Coordinator’s name and title]

    Attachments

    Model letter attachments if sending by post

    Principles for Assisting Requesters

    In processing your request under the Access to Information Act or the Privacy Act, we will:

    1. Offer reasonable assistance throughout the request process.
    2. Provide information on the Act, including information on the processing of your request and your right to complain to the Information Commissioner of Canada or the Privacy Commissioner of Canada.
    3. Inform you, as appropriate and without undue delay, when your request needs to be clarified.
    4. Make every reasonable effort to locate and retrieve the requested records.
    5. Apply limited and specific exemptions to the requested records.
    6. Provide accurate and complete responses.
    7. Provide timely access to the requested information.
    8. Provide records in the format and official language requested, as appropriate.
    9. Provide an appropriate location in the government institution where you can examine the requested information.

    Extension of time limits

    Section 15 of the Privacy Act says that the head of a government institution can extend the time limit to respond to a personal information request.

    The extension can be up to 30 days if:

    • meeting the original time limit would unreasonably interfere with the operations of the government institution or
    • consultations are necessary to comply with the request and the consultations cannot reasonably be completed within the original time limit.

    The extension can be as long as is reasonable if there is a need to translate from French to English or vice versa, or to convert the information into an alternative format.

    If an extension is required, you will be sent a notice indicating the length of the extension within 30 days from when your request was originally received.

    Privacy Act: Plain Language Guide to Exemptions and Exclusions

    The Privacy Act gives everyone a general right to access their personal information held by government institutions. It also protects that personal information from unauthorized collection, use, retention and disclosure.

    However, the right of access to personal information has some limits. There are two classes of exceptions to the general right of access:

    1. exemptions where certain types of personal information are exempt from the Privacy Act’s access requirements
    2. exclusions where the Privacy Act does not apply to personal information

    The Privacy Act allows government institutions to refuse to release certain kinds of personal information. The following will help you understand why parts of your response package have been blacked out and not released to you.

    Generally, to be included in the response package, the information must meet the following three requirements to be defined as your personal information and releasable under the Privacy Act:

    1. You can be identified by the information. Your name is in the record, or your identity can be deduced by the information in the record, whether alone or when combined with information from other sources.
    2. The information is about you as an individual. Information about corporations and other legal persons does not fall within the definition of your personal information. However, information about individual(s) in a sole proprietorship or in a partnership would be considered “personal information” within the meaning of section 3 of the Privacy Act.
    3. The information is recorded. It can be recorded in any form. For example, video recordings and photographic images of you contain personal information about you because they show something about your race, gender, age and ethnic origin, as well as your appearance or the sound of your voice. This applies to recordings and images of employees of a government institution and public figures. Oral conversations, even if personal in nature, are not considered personal information for the purposes of the Privacy Act unless the conversation is recorded in some manner.

    Note that when someone gives an opinion or makes a statement about someone else, that opinion or statement is generally considered the personal information of both parties. This can impact whether it is released to you.

    Right of access and severability

    A personal information request generally gives you access to your own personal information. The records containing your personal information may also include information other than your personal information. Institutions may release some of this additional information to you. In practice, parts of the records that are not exempt or excluded will not be blacked out, while the parts of a document where Privacy Act exceptions do apply will be blacked out.

    Exemptions

    Sections 18 to 28 of the Privacy Act deal with exemptions. These limit one’s access to personal information. An exemption could be made, for example, because the release of the personal information could cause injury to a person or the country. It could also be made because of how the information was obtained (such as during an investigation). Some exemptions are mandatory, in which case the institutions are legally required to withhold the personal information. Others are discretionary, in which case privacy officials may decide whether releasing the information is appropriate.

    Exclusions

    Sections 69 and 70 of the Privacy Act are referred to as exclusions because they cover information that is excluded from the application of the Privacy Act. Individuals do not have a right of access to this information.

    [copy the appropriate section(s) from the Privacy Act: Plain Language Guide to Exemptions and Exclusions]

Page details

Date modified: