DAOD 1002-1, Privacy Act Requests and Correction of Personal Information
Table of Contents
1. Introduction
Date of Issue: 2004-10-01
Date of Last Major Modification: 2019-05-02
Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).
Supersession:
- NDHQ Instruction ADM(Per) 7/83, Privacy Act – DND Implementation
- DAOD 1002-2, Informal Requests for Personal Information
Approval Authority: Corporate Secretary (Corp Sec)
Enquiries: Director Access to Information and Privacy (DAIP)
2. Definitions
government institution (institution fédérale)
Means:
(a) any department or ministry of state of the Government of Canada, or any body or office, listed in the schedule of the Privacy Act, and
(b) any parent Crown corporation, and any wholly-owned subsidiary of such a corporation, within the meaning of section 83 of the Financial Administration Act.
(Section 3 of the Privacy Act)
Info Source (Info Source)
A series of annual Treasury Board Secretariat publications in which government institutions are required to describe their institutions, program responsibilities and information holdings, including personal information banks and classes of personal information. The descriptions are to contain sufficient clarity and detail to facilitate the exercise of the right of access under the Privacy Act. Data-matching activities, use of the social insurance number and all activities for which privacy impact assessments were conducted have to be cited in Info Source personal information banks, as applicable. The Info Source publications also provide contact information for government institutions as well as summaries of court cases and statistics on access requests. (Policy on Privacy Protection, Treasury Board)
personal information (renseignements personnels)
Means information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing,
(a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual,
(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
(c) any identifying number, symbol or other particular assigned to the individual,
(d) the address, fingerprints or blood type of the individual,
(e) the personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations,
(f) correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence,
(g) the views or opinions of another individual about the individual,
(h) the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution or a part of an institution referred to in paragraph (e), but excluding the name of the other individual where it appears with the views or opinions of the other individual, and
(i) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual,
but, for the purposes of sections 7, 8 and 26 and section 19 of the Access to Information Act, does not include
(j) information about an individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual including,
(i) the fact that the individual is or was an officer or employee of the government institution,
(ii) the title, business address and telephone number of the individual,
(iii) the classification, salary range and responsibilities of the position held by the individual,
(iv) the name of the individual on a document prepared by the individual in the course of employment, and
(v) the personal opinions or views of the individual given in the course of employment,
(k) information about an individual who is or was performing services under contract for a government institution that relates to the services performed, including the terms of the contract, the name of the individual and the opinions or views of the individual given in the course of the performance of those services,
(l) information relating to any discretionary benefit of a financial nature, including the granting of a licence or permit, conferred on an individual, including the name of the individual and the exact nature of the benefit, and
(m) information about an individual who has been dead for more than twenty years.
(Section 3 of the Privacy Act)
personal information bank (fichier de renseignements personnels)
A description of personal information that is organized and retrievable by a person's name or by an identifying number, symbol or other particular assigned only to that person. The personal information described in the personal information bank has been used, is being used, or is available for an administrative purpose and is under the control of a government institution. (Policy on Privacy Protection, Treasury Board)
3. Objectives and Expected Results
Objectives
3.1 The objectives of this DAOD are to establish consistent practices and procedures for the processing of requests for:
- access to personal information that is under the control of the DND and the CAF; and
- correction of personal information that is under the control of the DND and the CAF and has been used, is used or is available for use for an administrative purpose.
Expected Results
3.2 It is expected that by following the instructions in this DAOD there will be:
- effective, well–coordinated and proactive administration of the Privacy Act within the DND and the CAF;
- complete, accurate and timely responses provided to any individual who exercises their right under the Privacy Act of access to and correction of their personal information; and
- efficient processes developed that will permit the disclosure of personal information by DND and the CAF organizations, if possible, directly to the individual to whom it relates, without a formal request under the Privacy Act.
4. Overview
Right of Access
4.1 Section 12 of the Privacy Act provides an individual with a legal right to be given access to their personal information contained in a personal information bank (PIB) and any other personal information held by the DND and the CAF with respect to which the individual is able to provide sufficiently specific information to locate the information. Any individual who has been given access to personal information that has been used, is being used or is available for use for an administrative purpose is entitled to request correction of that information if the individual believes it is not accurate.
4.2 Section 13 of the Privacy Act requires that an individual submit a request in writing to the government institution that is in control of the records containing their personal information. Formal requests made under the Privacy Act for personal information must be processed by DAIP.
Accessing Personal Information Informally
4.3 Despite an individual’s legal right under the Privacy Act to be given access to their personal information, the principle of openness and transparency should be promoted wherever possible by providing an individual with direct access to their personal information. The appropriate release authority within DND and CAF organizations may authorize the release of personal information directly to the individual to whom the personal information relates. All information released in this manner must comply with the National Defence Security Orders and Directives, Chapter 6, Security of Information, and the associated Security of Information Standards, which takes into account applicable exemptions or exclusions under the Privacy Act. A formal request under the Privacy Act, processed by DAIP, is not required in such cases.
5. Privacy Act Request Processing
5.1 All formal requests under the Privacy Act for access to personal information must be addressed to the DAIP for processing. Formal requests are those requests submitted in writing to the DND and the CAF in accordance with section 13 of the Privacy Act.
5.2 During the processing of a tasking from DAIP to provide records in response to a personal information request, the office of primary interest (OPI) and other DND employees and CAF members must consider limiting, on a need-to-know basis, the disclosure of information that could directly or indirectly lead to the identification of a requester, unless the requester otherwise consents.
5.3 DND employees and CAF members must follow the Instruction on Personal Information Requests and Personal Information Correction when processing DAIP taskings for personal information requests. DND and CAF OPIs may have their own internal procedures for dealing with personal information requests but such procedures cannot restrict those set by DAIP as the responsible organization in the DND and the CAF for processing requests under the Privacy Act for access to personal information.
Time Limits
5.4 All formal requests under the Privacy Act for access to personal information must be processed within 30 calendar days of receipt of the request. Should a request for access to personal information take more than 30 days to process, the time limit may be extended by DAIP for an additional 30 days in accordance with section 15 of the Privacy Act. The requester must be provided a written explanation as to the reason for the delay.
Reporting
5.5 DAIP is responsible for:
- preparing the annual report to Parliament on the administration of the Privacy Act;
- updating the DND and CAF Info Source chapter; and
- providing a statistical report on the administration of the Privacy Act to the Treasury Board Secretariat (TBS).
Note – See DAOD 1002-3, Management of Personal Information, for additional information regarding Info Source.
6. Correction of Personal Information Processing
6.1 If an individual who is given access by a formal request under the Privacy Act to their personal information believes there is an error or omission in the personal information that has been used, is being used or is available for use for an administrative purpose, the individual may complete and forward a Record Correction Request Form to DAIP in respect of each PIB containing the information. The Record Correction Request Form is available on the TBS website.
6.2 DND employees and CAF members must follow the Instruction on Personal Information Requests and Personal Information Correction when processing DAIP taskings for the correction of personal information. DND and CAF OPIs may have their own internal procedures for dealing with corrections but such procedures cannot restrict those set by DAIP as the responsible organization in the DND and the CAF for processing requests under the Privacy Act for the correction of personal information.
7. Privacy Act Training and Awareness
Appropriate Training
7.1 Level one advisors (L1s) must ensure that all DND employees and CAF members responsible for personal information management receive appropriate training.
Contracts, Arrangements and Other Agreements
7.2 As access by an individual to their personal information is a statutory right under the Privacy Act, L1s must ensure that all DND employees and CAF members who develop contracts, arrangements or other agreements do not purport by the use of restrictive clauses to limit that right.
8. Office of the Privacy Commissioner
8.1 A requester must be notified of their right to complain to the Office of the Privacy Commissioner (OPC) if access to a record or part of a record is refused.
8.2 DND and CAF OPIs must cooperate with DAIP in providing representations to the OPC.
9. Compliance and Consequences
Compliance
9.1 DND employees and CAF members must comply with the Privacy Act, the Privacy Regulations and this DAOD. Should clarification of these laws, policies or instructions be required, DND employees and CAF members may seek direction through their channel of communication or chain of command, as appropriate. Managers and military supervisors have the primary responsibility for and means of ensuring the compliance of their DND employees and CAF members with the Privacy Act, the Privacy Regulations and this DAOD.
Consequences of Non-Compliance
9.2 DND employees and CAF members are accountable to their respective managers and military supervisors for any failure to comply with the Privacy Act, the Privacy Regulations or this DAOD. Non-compliance may have consequences for both the DND and the CAF as institutions, and for DND employees and CAF members as individuals. Suspected non-compliance may be investigated. Managers and military supervisors must take or direct appropriate corrective measures if non-compliance has consequences for the DND or the CAF. The decision of an L1 or other senior official to take action or to intervene in a case of non-compliance, other than in respect of a decision under the Code of Service Discipline regarding a CAF member, will depend on the degree of risk based on the impact and likelihood of an adverse outcome resulting from the non-compliance and other circumstances of the case.
9.3 The nature and severity of the consequences resulting from non-compliance should be commensurate with the circumstances of the non-compliance and other relevant circumstances. Consequences of non-compliance may include one or more of the following:
- the ordering of the completion of appropriate learning, training or professional development;
- the entering of observations in individual performance evaluations;
- increased reporting and performance monitoring;
- the withdrawal of any authority provided under this DAOD to a DND employee or CAF member;
- the reporting of suspected offences to responsible law enforcement agencies;
- the application of specific consequences as set out in applicable laws, codes of conduct, and DND and CAF policies and instructions;
- other administrative action, including the imposition of disciplinary measures, for a DND employee;
- other administrative or disciplinary action, or both, for a CAF member; and
- the imposition of liability on the part of Her Majesty in right of Canada, DND employees and CAF members.
Note – In respect to the compliance of DND employees, see the Treasury Board Framework for the Management of Compliance for additional information.
10. Responsibilities
Responsibility Table
10.1 The following table identifies the responsibilities associated with this DAOD:
The … |
is or are responsible for … |
---|---|
Corp Sec |
|
L1s |
|
DAIP |
|
OPIs and other DND employees and CAF members providing records in response to Privacy Act requests |
|
Acts, Regulations, Central Agency Policies and Policy DAOD
- Access to Information Act
- Financial Administration Act
- Privacy Act
- Privacy Regulations
- Framework for the Management of Compliance, Treasury Board
- Policy on Privacy Protection, Treasury Board
- Directive on Personal Information Requests and Correction of Personal Information, Treasury Board
- DAOD 1002-0, Administration of the Privacy Act
Other References
- DAOD 1002-3, Management of Personal Information
- National Defence Security Orders and Directives
- Instruction on Personal Information Requests and Personal Information Correction (in draft)
- Record Correction Request Form
Page details
- Date modified: