1.1 This directive takes effect on April 1, 2010.
2.1 This directive applies to the government institutions defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.
2.2 This directive does not apply to the Bank of Canada.
2.3 This directive does not apply to information that is excluded under the Privacy Act.
3.1 Under the Privacy Act, individuals have the right to access their personal information and the right to request correction or have a notation added to any recorded personal information that is under the control of a government institution. This also includes the assurance that other individuals or organizations that use the information for an administrative purpose are informed of the correction or notation. Individuals have a right to know what personal information government institutions collect and to ensure that such information is accurate and complete. The right to access and the right to request correction may be limited under certain conditions. The Privacy Act establishes that heads of government institutions are responsible for responding to requests for access to personal information and for its correction.
3.2 The Policy on Privacy Protection establishes that heads (or their delegates) are responsible for ensuring that the Privacy Act and the Privacy Regulations are administered through consistent practices and procedures and that requests for access to personal information are met with timely, complete and accurate responses. Those responsibilities involve validating the identity of the requester and protecting that identity to the extent possible, developing procedures to process the requests, providing access to personal information and exercising discretion. Heads (or their delegates) are also responsible for any request for correction of personal information and for ensuring that it is processed in accordance with the Privacy Regulations. Government institutions promote the principles of openness and transparency by facilitating informal access to personal information wherever feasible and by respecting both the spirit and requirements of the Privacy Act, Privacy Regulations and related policy instruments.
3.3 This directive sets out the requirements for responding to privacy requests and requests for correction of personal information under the Privacy Act.
3.4 This directive is issued pursuant to paragraph 71(1)(d) of the Privacy Act.
3.5 This directive is to be read in conjunction with the Privacy Act, the Privacy Regulations and the Policy on Privacy Protection.
4.1 The definitions to be used in the interpretation of this directive are attached in Appendix A. Additional definitions are provided in Appendix A of the Policy on Privacy Protection.
5.1.1 To establish consistent practices and procedures for processing requests for access to or correction of personal information that is under the control of government institutions and has been used, is used or is available for use for administrative purposes.
5.2.1 Effective, well–coordinated and proactive administration of the Privacy Act within government institutions.
5.2.2 Complete, accurate and timely responses to privacy requests and correction of personal information made under the Privacy Act.
6.1.1 Respecting the following principles when delegating any powers, duties or functions under the Privacy Act:
6.1.2 Ensuring that delegates receive privacy training in the areas outlined in Appendix B of this directive.
6.2.1 Exercising discretion in a fair, reasonable and impartial manner after completing the following steps:
Note: The above considerations apply to all provisions of the Act for which the head or the delegate exercises discretion.
6.2.2 Ensuring that employees of government institutions and officials who have functional responsibility for the administration of the Privacy Act receive privacy training in the areas outlined in Appendix B of this directive.
6.2.3 Establishing procedures to validate the following:
6.2.4 Limiting, on a need-to-know basis, the disclosure of information that could directly or indirectly lead to the identification of a requester, unless the requester consents.
6.2.5 Implementing and communicating the principles for assisting requesters identified in Appendix C of this directive.
6.2.6 Determining whether it is appropriate to process the privacy request on an informal basis. If so, offering the requester the possibility of treating the request informally and explaining that only formal requests are subject to the provisions of the Privacy Act.
6.2.7 Establishing and maintaining an internal management system to keep track of privacy requests and correction requests and to document notations when required. This includes documenting the resolution of privacy complaints and reviews by the courts.
6.2.8 Documenting the processing of requests by placing on file all created and received paper and electronic documents that supported decisions under the Privacy Act, including communications where recommendations were given or decisions were made.
6.2.9 Documenting, when a request has been clarified or its wording altered, the wording of the revised request and the date of the revision in the tracking system.
6.2.10 Ensuring that requesters are notified of their right to complain to the Privacy Commissioner of Canada for all matters relating to the request, collection and handling of personal information.
6.2.11 Invoking applicable exemptions by properly applying the provisions of the Privacy Act. As defined in Appendix A and listed in Appendix D of this directive, exemptions are based either on a class test or an injury test and are either discretionary or mandatory in nature.
6.2.12 Citing all exemptions invoked on the records containing the personal information, unless doing so would reveal the exempted information or cause the injury upon which the exemption is based.
6.2.13 Consulting with the appropriate institutions in all instances involving the application of sections 21, 22 and 23 of the Privacy Act, as specified in Appendix E of this directive.
6.2.14 Establishing a process to ensure that any request for correction and any subsequent actions are made in accordance with the Privacy Regulations and are documented.
6.2.15 Inscribing any correction or notation made to personal information in a manner that ensures it will be retrieved and used whenever the original personal information is used for an administrative purpose. This also involves notifying the individuals and public and private sector organizations that use the information for administrative purposes of any correction or notation made to the personal information.
6.3.1 Recommending to the head or the delegate, as appropriate, that the requested information be disclosed informally.
6.3.2 Making every reasonable effort to search records under the control of the government institution to identify and locate the personal information that is responsive to the request.
6.3.3 Providing valid and request-related recommendations on the disclosure of personal information.
6.4.1 The monitoring and reporting requirements of this directive are set out in Subsection 6.3 of the Policy on Privacy Protection.
7.1 The consequences for non-compliance with this directive are identified in Section 7 of the Policy on Privacy Protection.
8.1 Roles and responsibilities are outlined in Section 8 of the Policy on Privacy Protection.
10.1 Please direct inquiries about this directive to your institution's access to information and privacy (ATIP) coordinator. For interpretation of this directive, the ATIP coordinator is to contact:
Information and Privacy Policy Division
Chief Information Officer Branch
Treasury Board Secretariat
219 Laurier Avenue West
Ottawa ON K1A 0R5
E-mail: ippd-dpiprp@tbs-sct.gc.ca
Telephone: 613- 946-4945
Fax: 613-952-7287
Ensuring that employees of the government institution receive privacy training in the following areas:
Ensuring that officials who hold functional responsibility for the administration of the Privacy Act receive privacy training in the above-mentioned areas as well as in the following:
The following principles for assisting requesters are to be communicated to the requester.
In processing your privacy request or correction request under the Privacy Act, we will:
The following table lists all exemptions under the Privacy Act and indicates whether they are based on a class test or an injury test and whether they are mandatory or discretionary.
Exemption | Mandatory | Discretionary | Class | Injury |
---|---|---|---|---|
Subsection 18(2) | no | yes | yes | no |
Subsection 19(1) | yes | no | yes | no |
Section 20 | no | yes | no | yes |
Section 21 | no | yes | no | yes |
Paragraph 22(1)(a) | no | yes | yes | no |
Paragraph 22(1)(b) | no | yes | no | yes |
Paragraph 22(1)(c) | no | yes | no | yes |
Subsection 22(2) | yes | no | yes | no |
Section 22.1 | yes | no | yes | no |
Section 22.2 | yes | no | yes | no |
Section 22.3 | yes | no | yes | no |
Section 23 | no | yes | yes | no |
Subsection 24(a) | no | yes | no | yes |
Subsection 24(b) | no | yes | yes | no |
Section 25 | no | yes | no | yes |
Section 26 | yes | no | yes | no |
Section 27 | no | yes | yes | no |
Section 28 | no | yes | no | yes |
The following chart lists the instances where consultation is mandatory and the government institutions to be consulted.
Exemptions | Institutions |
---|---|
Section 21: International affairs and defence | |
International affairs | Department of Foreign Affairs and International Trade |
Defence of Canada or of any state allied or associated with Canada | Department of National Defence |
Detection, prevention or suppression of subversive or hostile activities | Government institution with primary interest (i.e., Department of Public Safety and Emergency Preparedness, Royal Canadian Mounted Police, Canadian Security Intelligence Service, Department of National Defence or Department of Foreign Affairs and International Trade) |
Section 22 : Law enforcement and investigation | |
Paragraph 22(1)(a) | The investigative body that originally obtained or prepared the information |
Paragraph 22(1)(b) | The investigative body or other government institution with primary interest in the law being enforced or the investigation being undertaken |
Paragraph 22(1)(c) | Correctional Service of Canada |
Section 23: Security clearances | The investigative body that provided the information |