Access to Information and Privacy

Process and Compliance Manual

Prepared by
The ATIP Unit

April 2008


Acknowledgements

  • The ATIP Unit would like to take this opportunity to acknowledge the amount work, time and effort undertaken by all OPC employees involved in the processing of requests pursuant to the Access to Information Act and the Privacy Act.
  • The OPC’s ability to comply with the legislated requirements of these Acts is largely dependent upon the involvement of each and every employee.
  • You are not only valuable collaborators in this process, but essential participants as well.

TO EVERYONE, THANK YOU!


Table of Contents

  1. Introduction
  2. Frequently Asked Questions
  3. A Word About Transitory Records, E-mails, Drafts
  4. CHAPTER 1: ACCESS TO INFORMATION AND PRIVACY BASICS
    1. 1.1 THE LEGISLATION
    2. 1.2 DELEGATION OF AUTHORITY AND RESPONSIBILITIES
    3. 1.3 WHAT DOES “UNDER THE CONTROL” MEAN?
    4. 1.4 INFORMAL REQUESTS
    5. 1.5 ELIGIBILITY TO MAKE FORMAL REQUESTS
    6. 1.6 GENERAL GUIDELINES FOR REQUESTING INFORMATION
    7. 1.7 IDENTITIES OF REQUESTERS
    8. 1.8 INSTITUTIONS WITH GREATER INTEREST
    9. 1.9 LEGISLATIVE TIME CONSTRAINTS
    10. 1.10 COMPLAINTS
    11. 1.11 CRIMINAL OFFENCE UNDER THE ACCESS TO INFORMATION ACT
  5. CHAPTER 2: ROLES AND RESPONSIBILITIES
    1. 2.1 DELEGATION OF AUTHORITY AND RESPONSIBILITIES
    2. 2.2 OVERALL ATIP RESPONSIBILITIES
    3. 2.3 RESPONSIBILITIES OF ALL OPC EMPLOYEES
  6. CHAPTER 3: PROCESSING FORMAL REQUESTS PURSUANT TO THE ACCESS TO INFORMATION ACT
    1. 3.1 PURPOSE OF THE ACCESS TO INFORMATION ACT
    2. 3.2 RELATED REGULATIONS, POLICIES AND PROCEDURES
    3. 3.3 FORMAL REQUESTS FOR ACCESS TO RECORDS
    4. 3.4 OVERALL GUIDELINES AND TIME ALLOCATED FOR RESPONDING TO AN ACCESS TO INFORMATION ACT REQUEST
    5. 3.5 COMPLAINT PROCESS
  7. CHAPTER 4: PROCESSING FORMAL REQUESTS PURSUANT TO THE PRIVACY ACT
    1. 4.1 PURPOSE OF THE PRIVACY ACT
    2. 4.2 RELATED REGULATIONS, POLICIES AND PROCEDURES
    3. 4.3 FORMAL REQUESTS FOR ACCESS TO PERSONAL INFORMATION
    4. 4.4 OVERALL GUIDELINES AND TIME ALLOCATED FOR RESPONDING TO A PRIVACY ACT REQUEST
    5. 4.5 COMPLAINT PROCESS
    6. 4.6 CORRECTION / NOTATION OF PERSONAL INFORMATION
  8. CHAPTER 5: EXEMPTIONS AND EXCLUSIONS
    1. 5.1 Access to Federal Government Information
    2. 5.2 Exemptions
    3. 5.3 Exclusions
  9. CHAPTER 6: PERSONAL INFORMATION – COLLECTION, RETENTION, ACCURACY, USE & DISCLOSURE
    1. 6.1 WHAT IS PERSONAL INFORMATION?
    2. 6.2 COLLECTION OF PERSONAL INFORMATION
    3. 6.3 RETENTION OF PERSONAL INFORMATION
    4. 6.4 ACCURACY OF PERSONAL INFORMATION
    5. 6.5 USE OF PERSONAL INFORMATION
    6. 6.6 DISCLOSURE OF PERSONAL INFORMATION
    7. 6.7 DISPOSITION OF PERSONAL INFORMATION
    8. 6.8 PRIVACY VIOLATIONS / BREACHES
    9. 6.9 ACCOUNTING FOR PERSONAL INFORMATION HOLDINGS
    10. 6.10 PRIVACY IMPACT ASSESSMENT (PIA)
  10. GLOSSARY
  11. Appendix A – Access to Information Act Request Form
  12. Appendix B – Privacy Act Request Form
  13. Appendix C – Tasking Memorandum
  14. Appendix D – Fee and Fee Waiver Policy
  15. Appendix E – Privacy Act Correction Request Form
  16. Appendix F – Access to Information Act and Regulations
  17. Appendix G – Privacy Act and Regulations

Top of Page Table of ContentsIntroduction

While the Access to Information Act (ATIA) and the Privacy Act (PA) came into force on July 1, 1983 the OPC became subject to those Acts only on April 1, 2007. ATIP has produced this Manual for the OPC:

  • in order to explain the basics of the ATIA and the PA;
  • to outline the processes that must be undertaken by the ATIP Unit to respond to requests received under those Acts;
  • to outline the processes that must be undertaken by OPC branch personnel in fulfilling their responsibilities with respect to responding to requests under the Acts, and;
  • in order to assist OPC personnel in understanding their responsibilities with respect to the handling of personal information as set out in the PA.

Both of the Acts serve an essential democratic purpose by making government more open and transparent and by promoting accountability through the participation of individuals in the decisions of government which affect them. There is a compelling public interest in openness in order to ensure that the government is fully accountable for its goals and that its performance can be measured against these goals. This renders the government more accountable to the electorate, facilitates informed public participation in the formulation of public policy, and ensures fairness in government decision-making.

As employees of the OPC, we are the custodians of information that we collect, use, disclose and retain in the course of our duties. We are accountable to the Privacy Commissioner, to the federal government, and to the Canadian public for the manner in which we perform our duties under the various legislations which govern us, including the ATIA andthe PA. We are also individuals with rights under the two Acts. This means that we, too, have a right to know how the federal government performs and what personal information it holds about us.

The proper application of the ATIA andthe PA within the OPC is a shared responsibility, one which requires the active participation of every OPC employee. This manual will help you to understand not only how to play your part in the process, but why your complete cooperation is so vitally important.

WELCOME TO THE WORLD OF ACCESS TO INFORMATION AND PRIVACY?

Top of Page Table of ContentsFrequently Asked Questions

1. Who is the requester and why is he/she asking for these documents?

There is no specific provision in the Access to Information Act (ATIA) that prohibits ATIP from divulging the name of a requester. However, the identities of ATIA requesters are generally considered personal information.

If an ATIA requester is a corporation, the identity of the corporation is not personal information. Whether the identity of the individual who submitted the request on behalf of the corporation should be protected as personal information must be decided on a case-by-case basis. However, it is the practice of ATIP not to disclose either the corporation or the employee’s name, as why the requester wants certain documents cannot be taken into consideration during the decision making process under the ATIA. Whether the request comes from Joe Public, Joe Reporter or Joe Lawyer is immaterial. Decisions concerning disclosure must be based on the content of the documents and the law alone, not upon who has asked for the information.

Also, the government’s Policy on Privacy Protection requires that federal institutions only disclose requester’s identities when authorized by the ATIA to do so and where there is a “clear need to know in order to perform duties and functions” related to the ATIA.

As to the identity of a Privacy Act (PA) requester, because the individual is seeking access to their own personal information, ATIP must usually disclose the individual’s name to the head of the OPC Branch that has the information being sought. The head will then normally need to disclose the name to someone in the Branch who will be tasked with actually searching for and locating the information. But disclosure of the individual’s name beyond that need, is a clear violation of the PA.

2. When I gather records for a request, do I have to include my handwritten notes, the e-mails on my computer and any other unofficial records?

If the information those records contain is relevant to the request, yes, they must all be gathered and sent to ATIP for review. Under the ATIA, a record is defined as “any documentary material, regardless of medium or form.”

3. I sit on an interdepartmental committee which distributed a copy of a confidential private sector paper to all members for their comments. Now I have a request for information on the same subject. Do I have to include the paper among the relevant records?

Yes. If a relevant document exists in the OPC when a request is received, it must be included. A promise to treat information confidentially does not take precedence over the right of access provided by either Act. Unless the information qualifies for an exemption or exclusion under the Acts, it must be made available to the requester.

4. Sometimes I receive records provided by third parties which have “Copyright” written on them. I am concerned about violating the Copyright Act in the event that a record should be considered relevant to an access request. Does the OPC need to obtain the consent of the author in order to release such a record?

No, the OPC does not need to obtain the consent of the author. According to subsections 32.1(1) (a) and (b) of the Copyright Act, there is no copyright infringement for any person to disclose, pursuant to either the ATIA or the PA, a record within the meaning of that Act.

5. I have priority projects with tight deadlines and don’t have time to deal with this ATIP request right now. Can it wait until I have some free time?

No. Statutory time limits are set out in the ATIA and the PA which requires the OPC to respond to requesters within 30 calendar days—this usually amounts to only 20 actual working days within which to retrieve the documents, review them for applicable exemptions, and prepare the release package(s). If you cannot meet the deadline indicated by ATIP, it is imperative that you contact ATIP immediately to discuss the possibility of extending it—but only by perhaps a day or two. If you do not respond by the date indicated, ATIP will contact you and will expect a valid reason for the delay. Delays can and will result in well-founded complaints against the OPC.

6. It’s going to take hours to review the documents, copy them, discuss them with my Director and prepare recommendations. Can we charge for this time?

No. Time spent reviewing information, photocopying documents and developing recommendations are not chargeable under the ATIA. Fees can only be charged for the time that is actually spent finding the records and removing sensitive information. Once that has been done, ATIP can charge 20 cents per photocopied page that is being released to the requester. Unlike the ATIA, the PA does not allow fees for any reason.

7. I have several drafts of a report which are all very similar to the final version. Do I have to send them all to the ATIP Unit to be reviewed?

Yes, all relevant records must be included in the search and review.

8. I have a request for a file of legal opinions, all of which are covered by solicitor-client privilege. Can I just invoke the privilege instead of going through the entire file, document by document?

No. You must review the contents of the file to ensure that all of the records are actually subject to the privilege. Some may have been made public, there may be documents which are not privileged, or there may be a reason to waive the privilege and release the information. Also, only the ATIP Director and the Director General of Corporate Services have the delegated authority from the Commissioner to cite exemptions under the Acts.

9. I found a Cabinet document marked “Secret” which has not been seen by the Commissioner yet. Shouldn’t I set it aside since there is no possibility that it will be released?

No. All relevant records, regardless of their security classification or the unlikelihood of their disclosure must be sent to ATIP for review. Markings of “Protected”, “Confidential”, “Secret” etc. may indicate sensitive information but the information must still be reviewed to see if a specific exemption should be claimed.

10. Does the OPC have a policy that advice to the Commissioner will be automatically exempted?

No. Having a blanket policy to exempt “advice” or any other discretionary provision would be contrary to the required exercise of administrative discretion. For discretionary exemptions such as advice, each case must be considered on its own merit and the decision to apply the exemption must be based on a reasonable expectation of foreseeable harm. Also, the exercise of discretion is a matter that can be subject to review by the Federal Court.

11. If we release this information, it will embarrass the Commissioner – shouldn’t we just withhold it?

Embarrassment is not recognized by either Acts as a valid reason to withhold information. In the absence of a valid exemption, the information must be disclosed.

12. Several branches collaborated on the drafting of a Briefing Note to the Commissioner on a sensitive subject and several meetings took place in this regard. Can we destroy the draft Briefing Notes if we decide later not to send the final Briefing Note to the Commissioner?

No. Draft Briefing Notes should be kept on departmental files even though they were not sent to the addressee since they were the object of intra-departmental meetings. All documentation relevant to a request that exists at the time of the request must be provided to ATIP for processing.

13. A consultant was hired to produce a report providing key sensitive information to the Commissioner. How can we protect that report from being released should an Access to Information Act request be received?

There is no specific provision of the ATIA allowing for the protection of reports or other deliverables prepared by consultants. Those documents must be disclosed unless ATIA or PA exemptions apply.

14. I have a document in which only one paragraph is actually relevant to the request. Can you protect the rest of the information as “not relevant”?

No, not under ATIA. Under the ATIA, if there is relevant information in a document, then the entire document is relevant to the request as well. While it is possible under the PA to process only personal information, you must still provide ATIP with the entire document.

15. The request is for a list of funding provided to certain organizations. As the list does not already exist, are we obligated to create one?

There is no obligation under either Acts to create a document solely in order to respond to a request. However, a document can be created if an institution wishes to do so and, in fact, it may be wise to do just that. A case of this nature should be discussed with ATIP so that an informed decision can be made whether to create a document if one does not already exist.

16. If I believe that some information contained in a document is of a sensitive nature or is not relevant, can I blank out that information prior to providing it to the ATIP Unit?

No, you must provide the entire document to ATIP. However, advise ATIP of your concerns so that they will be taken into consideration when the information is being reviewed. ATIP will ultimately determine whether certain provisions of the Acts can be applied to protect the information.

Top of Page Table of ContentsA Word About …Transitory Records, E-mails, Drafts

What is a “Record”?

When the term “record” is used, we often think only of those which exist in paper form. However, under the Access to Information Act (ATIA), “record” is defined as any documentary material, regardless of medium or form. So, in fact, the term is very broad and covers any information produced, received or collected within the OPC including:

  • paper and electronic documents
  • correspondence, memoranda, reports
  • e-mail, information contained in databases, material on web pages
  • books, plans, maps, drawings, diagrams, graphic works
  • photographs, film, microfilm, sound/audio recordings, videotapes

Under the “Information Management and Technology” portion of the site, there is a link to an “Information Management” section which contains an extremely useful “On-Line Information Management Tutorial”. ATIP highly recommends that all OPC employees avail themselves of this tool along with other information on the Intranet concerning proper records management.

Also, given that all Government of Canada employees are responsible for the effective management of information, it is imperative that OPC employees be aware of the OPC’s Information Management Policy which is found on the OPC Intranet site under “Policies and Guidelines”.

Transitory Records

In order to identify and preserve archival and historical records, the law prohibits the destruction of government records without the consent of the National Archivist. Institutions obtain consent for the disposal of their program records according to plans developed in cooperation with the Archives. An exception is the general authority that the National Archivist has granted for the destruction of records that are transitory in nature. In this authority “transitory records” are defined as:

“records that are required only for a limited time to ensure the completion of a routine action or the preparation of a subsequent record.  Transitory records do not include records required by government institutions or Ministers to control, support or document the delivery of programs, to carry out operations, to make decisions or to account for activities of government.”

Thousands of records in paper, electronic and other formats are created and received by OPC employees every day. Many of these are highly valuable to the OPC and need to be protected and preserved, for example those that:

  • document the initiation, conduct or completion of a business activity or transaction
  • contribute to the evolution of legislation or policy development
  • involve financial or legal matters or have policy, program or procedural implications
  • document how/why certain decisions and actions were/were not taken
  • provide information to Parliament in order to account for OPC activities

However, a great number of records rapidly lose their value from the time they are created or received by the OPC and they therefore no longer need to be retained. Records of no long-term value to the OPC are considered “transitory” and (with one exception, see “Note” later in this section) can be destroyed once they are no longer of use, such as:

  • those required for a limited period of time in order to complete a routine action or to prepare another record
  • a draft document that is never communicated beyond the author
  • a document that contains notes and where the additional information is found in a later version
  • a document which is received as a copy, that is maintained for convenience only and which does not direct that the receiver of the copy take any action
  • personal working notes—once the necessary information has been incorporated into an official document
  • reference material used in a marginal way and which is not required to account for decisions which have/have not been taken

Records of value to the OPC must not be destroyed. To identify a transitory record, ask yourself whether the record is used to initiate or to continue an OPC activity, whether it provides comments on an activity underway which requires administrative action, or which requests an opinion or an activity of interest to the OPC. If the answer to any part of the question is ‘yes’, then you are not dealing with a transitory record and it must be retained.

Scenario – You keep a notebook (in paper form or electronic) as an ongoing record and reminder of your daily activities?it contains information about meetings and presentations as well as information on your lunch and dentist appointments.  Information in the notebook that contributes to the documentation of a program or activity should be copied to the departmental record.  Once that has been done you may dispose of the notebook at your discretion.  If the notebook contains information relevant to an ATIP request that was received before the notebook is destroyed, it must be included in the records provided to ATIP for processing.

For questions or clarification with respect to specific records, please consult either the OPC’s Information Manager or the Director of ATIP. OPC employees should also consult the Guideline on Disposing of Records (RDIMS #185634).

Note: it is unlawful to destroy any record once a formal ATIA or PA request has been received. So, if a transitory record still exists and is relevant to a request received by the OPC, that record cannot be destroyed. It must be provided to ATIP for processing.

Are All Draft Documents Transitory Records?

Draft documents are preliminary versions used to create a final document and may be used to solicit comment and input from others before a document is finalized. Drafts prepared in the process of making a decision or implementing a policy, for example—and copies of such drafts—must be retained and filed where they have been annotated or where information has been added to them.

Some draft documents (including previously “saved” versions of electronic documents) need not be retained where they are working versions which have not been communicated beyond the individual who created them or where they are copies that are used for reference purposes only. These types of drafts may be treated as transitory records and routinely destroyed.

Once a draft has been shared with others in order to obtain input and opinions, those drafts must be retained in order to demonstrate the evolution of the document as it goes through the approval process. So, drafts prepared in the process of making a decision or implementing a policy or other operation must be retained where they have been annotated by others.

Scenario – You have drafted a report from research notes.  You make 10 copies of the first draft and circulate them to colleagues for comment.  Once you have received their comments you make changes to the report and submit a second draft to your boss.  After your boss? changes are incorporated the report is given to your Branch head as a final document.

Once the report is final, you may destroy your research notes. You may also destroy any of the returned first draft copies if you kept a master version to indicate any significant changes. The same is true of your boss’ comments if they are editorial in nature, however, changes in policy, approach or recommendations should be documented.

What About E-mails?

Electronic mail is a major tool used by federal government employees as a means of formal communication. OPC employees are expected to be able to distinguish between e-mails that are official records of business (and therefore must be saved) and those that are “transitory” in nature (and which therefore should be destroyed when no longer required).

Some e-mails are the same as simple telephone messages, ie. setting a meeting. Such e-mails are “transitory” and should regularly be deleted.

However, many e-mails have a direct impact on the management of the OPC and the various activities it carries out, ie. e-mails containing direction about the preparation of a major paper, initial thoughts as to how to proceed on an issue, or comments on a draft document. These types of e-mails are not “transitory” and they should be printed and placed on the appropriate file and/or saved in RDIMS. Once printed, filed and/or saved, the electronic form of the record can be deleted.

OPC employees should be aware that government institutions routinely receive specific requests under the ATIA and the PA for e-mails—the OPC is no exception. Once such a request has been received, any transitory e-mails that are relevant to a request must be retained, provided to ATIP and processed in accordance with the Acts.

Scenario A – You receive an e-mail inviting you to a meeting.  You may delete the e-mail whenever you wish as this is a transitory record?unless you are aware that an ATIP request has been received for the e-mail.

Scenario B – You have received an e-mail message containing significant and substantive information.  Once you either print a hard copy of the message and put it on file, or save the e-mail into the relevant electronic file, the original message can be deleted.

For information about the proper management of e-mails, see the Intranet tutorial mentioned earlier. OPC employees should also familiarize themselves with the Guidelines on Managing Electronic Mail found on the Intranet.

Section 67.1 of the ATIA

  1. No person shall, with intent to deny a right of access under this Act,
    1. destroy, mutilate or alter a record;
    2. falsify a record or make a false record;
    3. conceal a record; or
    4. direct, propose, counsel or cause any person in any manner to do anything mentioned in any of paragraphs (a) to (c).
  2. Every person who contravenes subsection (1) is guilty of