DAOD 1002-1, Requests under the Privacy Act for Personal Information

1. Introduction

Date of Issue: 2004-10-01

Application: This is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).

Supersession: NDHQ Instruction ADM(Per) 7/83, Privacy Act - DND Implementation

Approval Authority: This DAOD is issued under the authority of the Assistant Deputy Minister (Finance and Corporate Services) (ADM(Fin CS)).

Enquiries: Director Access to Information and Privacy (DAIP)


2. Overview

Terminology

2.1 The following table provides information on terminology used in this DAOD:

In this DAOD ...has/have the same meaning as in ...
  • administrative purpose;
  • government institution;
  • personal information;
  • personal information bank; and
  • Privacy Commissioner

section 3 of the Privacy Act.

  • disclosure of personal information

chapter 3 of the Treasury Board of Canada Secretariat policy entitled Use and Disclosure of Personal Information.

  • record

section 3 of the Access to Information Act.

Access to Personal Information

2.2 Under the Privacy Act, every individual who is a Canadian citizen or a permanent resident within the meaning of the Immigration and Refugee Protection Act, or is present in Canada, has a right to, and must upon request, be given access to:

  1. their personal information contained in a personal information bank (PIB); and
  2. any other personal information about them under the control of a government institution if they are able to provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution.

Formal Requests for Personal Information

2.3 Formal requests for personal information are made under the Privacy Act and must:

  1. be made in writing and signed;
  2. identify the PIB number or provide sufficient information on the location of the personal information to render it reasonably retrievable; and
  3. be submitted in person, by mail or facsimile at (613) 995-5777 to the DAIP:

    Director Access to Information and Privacy
    National Defence Headquarters
    101 Colonel By Drive
    Ottawa, Ontario
    K1A 0K2

2.4 Formal requests may not be sent by email.

Informal Requests for Personal Information

2.5 For information concerning informal requests for personal information, see DAOD 1002-2, Informal Requests for Personal Information.

3. Operating Principles

Time Limit

3.1 Requesters are entitled to expeditious processing of their requests for personal information. Section 14 of the Privacy Act provides a 30-calendar day time limit in which to respond. Responding to formal requests within the time limit provided under the Privacy Act is essential to ensure the success of the DND and the CAF policy of transparency and to promote its relationship with the Canadian public.

Extension of Time Limit

3.2 Under section 15 of the Privacy Act, the 30-calendar day time limit may be extended in certain circumstances.

3.3 The DAIP must ensure that the requester is notified of the reason for an extension prior to the expiration of the original 30-calendar day time limit.

Disclosure Refusal

3.4 If access to personal information is refused, the DAIP must advise the requester, in writing, of the:

  1. specific provision of the Privacy Act upon which the refusal was based; and
  2. right to complain to the Privacy Commissioner about the refusal.

Forms of Access

3.5 Under subsection 17(1) of the Privacy Act and subject to the Privacy Regulations, if an individual is to be given access to personal information, the DND must:

  1. permit the individual to examine the information; or
  2. provide the individual with a copy of the information.

Language of Access

3.6 Under subsection 17(2) of the Privacy Act, the following action is taken if access to personal information is requested by an individual in one of the official languages:

If the personal information ...then ...

already exists under the control of the DND in the language requested,

access must be given in the requested language.

does not exist in the requested language,

the DAIP must have it translated or interpreted for the individual if the DAIP considers a translation or an interpretation to be necessary to enable the individual to understand the information.

Exemptions

3.7 Under specific provisions of the Privacy Act, personal information may be exempt from disclosure.

3.8 The exemptions are provided to:

  1. protect the interests of third parties such as individuals or organizations who could be adversely affected by the disclosure of the personal information to the requester; and
  2. establish a delicate balance between the rights of the requester and other interests to be protected under certain circumstances.

3.9 If an exemption is applied, the requester is informed of the reason and the applicable provision of the Privacy Act.

Top of Page

4. Complaints and Investigations

Role of the Privacy Commissioner

4.1 The Privacy Commissioner provides an independent review of the government's compliance with the Privacy Act.

4.2 The Privacy Commissioner:

  1. receives, investigates and responds to complaints made under the Act;
  2. provides an annual report to Parliament on these activities; and
  3. applies or appears before the Federal Court in judicial review proceedings.

Complaints

4.3 Under subsection 29(1) of the Privacy Act, the Privacy Commissioner must receive and investigate complaints made by individuals concerning administration of the Act by government institutions.

4.4 The complaints that the Privacy Commissioner must investigate are set out in paragraphs 29(1)(a) to (h) of the Act. They must be made in writing, unless otherwise authorized by the Privacy Commissioner.

Investigation by the Privacy Commissioner

4.5 Investigations of complaints by the Privacy Commissioner are conducted in private. Upon completion of the investigation, the Privacy Commissioner usually reports the results of the investigation to the complainant and to the DAIP.

Application to Federal Court

4.6 Under section 41 of the Privacy Act, if an individual has been refused access to personal information requested under subsection 12(1), and a complaint has been made to the Privacy Commissioner and investigated, and the results reported, the individual may apply to Federal Court for a review of the matter.


 

5. Responsibilities

Responsibility Table

5.1 The following table identifies the responsibilities regarding requests under the Privacy Act for personal information:

The ...is/are responsible for ...

DAIP

  • establishing policies and procedures to permit individuals efficient access to personal information to which they are entitled;
  • receiving, controlling and responding to formal requests for personal information;
  • verifying the requester's right of access;
  • ensuring the request can be understood by an experienced DND employee or CAF member before sending it to the appropriate Office of Primary Interest (OPI) responsible for the physical custody and management of the personal information requested;
  • applying exemptions if necessary;
  • consulting OPIs on the exemptions to apply, if necessary;
  • approving or refusing disclosure of personal information under the Privacy Act;
  • deciding, on a case-by-case basis, if personal information is to be translated or interpreted;
  • advising individuals if their personal information has been released inadvertently;
  • creating and amending PIBs within the DND, with Treasury Board's approval;
  • ensuring that the necessary regulations, guidelines and publications are available within the DND and the CAF; and
  • providing guidance to OPIs on questions concerning formal access to personal information.

OPIs

  • complying with Privacy Act taskings from the DAIP for personal information and forwarding the requested records as quickly as possible within the timeframes set by the DAIP;
  • informing the DAIP of the anticipated response date if not able to provide the requested information within the time frame;
  • seeking immediate advice from the DAIP if in doubt regarding any aspect of the Privacy Act; and
  • recommending exemptions, if applicable.

DND employees and CAF members requesting personal information

  • determining whether to submit a request for personal information under the Privacy Act or an informal request; and
  • submitting a written and signed request to the DAIP that identifies, where possible, the PIB that contains the information or provides sufficiently specific information on the location of the personal information.

6. References

Acts, Regulation, Central Agency Policies and Policy DAOD

Other References