ACCESS TO INFORMATION AND PRIVACY (ATIP) PROCEDURE … · Two types of Exemptions - Mandatory vs....
52
ACCESS TO INFORMATION AND PRIVACY (ATIP) PROCEDURE MANUAL PACIFIC REGION 1
Transcript of ACCESS TO INFORMATION AND PRIVACY (ATIP) PROCEDURE … · Two types of Exemptions - Mandatory vs....
ACCESS TO INFORMATION AND PRIVACY (ATIP)
PROCEDURE MANUAL
PACIFIC REGION
1
ACCESS TO INFORMATION AND PRIVACY PROCEDURES MANUAL TABLE OF CONTENTS
Title Page Access to Information (What is Access to Information Act (ATI) ………………………………. 4-5 Access to Information Exceptions ……………………………………….. 6 Access to Information Exclusions ………………………………………... 7 Access to Information Act Exemptions – Mandatory / Discretionary … 8 Access to Information Act – Government Information should be available to the public ……………………………………………………. 9 Access to information Request Form ……………………………………. 10 Access to Information Regional Procedures ……………….. ………….. 11-12 Quick Guide for Processing Atip Requests …………………. …………. 13 Quick List of Information for Protection under Atip ………………….. 14 Access to Information Return Memo ……………………….. ………….. 15 Definition of a Communications Plan …………………………………… 16 Definitions to Help You …………………………………………………… 17 Definition of Search Estimate Justification ……………………………… 18-20 Draft Document …………………………………………………………… 21 Electronic Mail ……………………………………………………………. 22 E-Mail Quick Reference ………………………………………………….. 23-27 E-Mail Retention Policy …………………………………………………… 28 Extensions …………………………………………………………………. 29 Frequently asked Questions and Answers - ATIP …………………….. 30-31 HTML Format Rich Text ………………………………………………… 32-34 Records Management – Official Records ……………………………….. 35 Search Estimate Form ………………………………………... …………. 36-38 Transitory Records ……………………………………………………….. 39 Privacy (What is the Privacy Act) ……………………………………….. 40-41 Personal Information Request Form …………………………………… 42
2
Info Source ………………………………………………………………… 43-45 Personal Information and Protection of Electronic Documents Act ….. 46-47 (PIPEDA) Personal Information is defined in the Privacy Act ……………………. 48 Privacy Impact Assessment Policy – PIA’s………………………………. 49-50 Frequently Asked Questions and Answers– PIA’s …………………….. 51-52
3
Access to Information
What is Access to Information Act (ATI)? The ATI came into force in 1983 and provides a right of access to records under the control of a government institution except in limited and specific circumstances Who has access?
• Canadian citizens • Permanent residents • Persons present in Canada
Not intended to replace existing procedures for disclosing information Fundamental Principles: • Government information should be available to the
public. • Exceptions to the right of access should be limited
and specific. • Decisions on the non-disclosure of information
should be reviewed independently of government. What is Accessible? • Any record under the control of a government
institution • Section 3 of the Act defines a record as: “any
correspondence, memorandum, book, plan, map, drawing, pictorial or graphic work, photograph, film, microfilm, sound recording, videotape, machine readable record, and any other documentary material regardless of the physical form or characteristic and any copy thereof.”
How is it Accessible? • Request must be in writing • DFO must respond within 30 calendar days • Time limit may be extended (s. 9)
volume consultations with other governments consultations with third parties
Your Responsibilities under ATI as a DFO Employee:
• Responsible to ensure that corporate
information residing in textual and electronic format is identified, safeguarded and retained.
• In response to ATI requests, employees are
required to provide all relevant information in their possession that responds to the subject matter of the request.
• Responsible to ensure that deadlines for
requests are met.
• Responsible to ensure that they provide comments and recommendations regarding disclosure of records to ATI.
What are the Most Commonly Claimed Exemptions/Exclusions used in DFO:
- Federal-provincial affairs (s.14) - Personal information (s.19) - Confidential third party information (s.20) - Internal decision-making processes (s.21) - Solicitor-client privilege (s.23)
For further information on ATI: • Contact your Atip Advisor, ATIP
Telephone: (604) 775-7830, OR
• http://www.dfo-mpo.gc.ca/atip-aiprp/index_e.htm
4
FACT:
Information under the control of a federal government institution may be sought under the provisions of the Access to Information Act by anyone in Canada.
All government employees are responsible for protecting information and releasing information in accordance with the Act(s). Any question or concern about this should be directed to your Atip Advisor, ATIP. (604) 775-7830.
All government employees are responsible for following proper records management practices and ensuring that their records are accurate, current and retrievable.
FACT: There are 8 mandatory exemptions outlined in the Access to Information Act. Federal government institutions cannot release records in these categories unless certain conditions are met (e.g., consent of the third party affected or if the information is publicly available). This is as close to “confidential” as we get!
Access to Information Act - Mandatory Exemptions
Section Subject 13(1)
Information obtained in confidence from other governments
16(3) Information obtained or prepared by the RCMP while performing policing services for provinces and municipalities
19(1)
Personal Information
20(1)(a)
Trade secrets of a third party
20 (1)(b) Financial, commercial, scientific or technical information supplied confidentially to DFO and is treated consistently in a confidential manner.
20(1)(c) Information the disclosure of which could reasonably be expected to result in material financial loss or gain to, or could reasonably be expected to prejudice the competitive position of a third party.
20(1)(d)
Information the disclosure of which could reasonably be expected to interfere with contractual or other negotiations of a third party.
24(1)
Statutory prohibitions (other acts/sections set out in Schedule II)
5
Access to Information Exceptions Principle 2 • Exceptions to the Right of Access should be limited and Specific
Exemptions • Mandatory vs. Discretionary • Harm Test (Specific, Current, Probable) • Severability (s.25 of ATIA)
We can protect certain information from being released. Exemptions: are sections of the Act that allows us to protect information. Having said that, it is govt’s policy, and in keeping with the spirit and intent of the Act, to release information when there is no need to withhold it. Two types of Exemptions - Mandatory vs. Discretionary: Mandatory means we SHALL withhold the information, and Discretionary means we MAY withhold – in the case of MAY – we must exercise our discretion as to whether or not the exemption is necessary – the weighing or balancing exercise of the harm
There are three things to consider in that balancing act - disclosure of the information must: 1. reasonably be expected to prove harmful to the specific public or private interest 2. identify the detrimental effect at the time the exemption is claimed, or in the foreseeable future 3. reasonable likelihood of the injury occurring. The bottom line is: just because there may be an exemption that applies, we must use our discretion, and be capable of defending it. This is why your recommendations and comments on the documents you provide in response to an ATIP request are so vital to our being able to do our job properly. Also important to note that the only person who can apply the law is the A/Coordinator of ATIP – Norma McLelland. She has the delegated authority from the Minister to do so. Section 25 of the Act - stipulates that departments shall disclose any part of a record that cannot be protected by an exemption. Therefore, even though part of a document may be “not relevant’ to the subject of the request, unless that portion is sensitive in nature, we must disclose.
6
Access to Information Exclusions
Excluded from Scope of Act: • Published / Purchasable material • Public library Museum material • Confidences of the Queen’s Privy Council – Cabinet Confidences – 20 years The Act has sections that are called “Exclusions”. This means there are certain types of records that are considered “Outside the scope of the Act”. Published material, material available for purchase, and other materials found in a library/museum are exclude from the act. It is DFO’s practice to advise requesters of the types of published information that we have relevant to their ATIP request and where they can obtain a copy. Cabinet Confidences, s. 69: In order to preserve our Canadian Cabinet system of government … the ability of Ministers to be able to express their views freely during the discussions leading up to Cabinet decisions - subsection 69(1) of the Access to Information Act provides that the Act does not apply to confidences of the Queen’s Privy Council for Canada. Examples: Memos to Cabinet, Treasury Board Submissions, Communications between Federal Ministers and Draft Legislation.
Even references to these documents may be considered Cabinet Confidences...i.e: Deck with bullet “MC on Species at Risk scheduled for presentation to Cabinet - 31 October”.
7
Access to Information Act Exemptions – Mandatory / Discretionary
Exemptions – Mandatory:
• s. 13 – Information Obtained in Confidence from other Governments • s. 19 – Personal Information • s. 20 – Third party information • s. 24 – Statutory Prohibitions
Exemptions – Discretionary: • s. 14 – Federal-provincial affairs • s. 15 – International affairs and defence • s. 16(1) & (2) – Law enforcement/investigations • s. 17 – Safety of individuals • s. 18 – Economic interests of Canada • s. 21 – Operations of government • s. 22 – Tests of audits • s. 23 – Solicitor-client privilege • s. 26 – Information to be published within 90 days
MANDATORY 13 = eg: a letter sent to DFO by the province, that is classified confidential – we MUST consult 19 = eg: race, national or ethnic origin, colour, religion, age or marital status, sin number etc. see the ACT for a more detailed description 20 = eg: catch data from a fisher is considered confidential third party information; per-diems, hourly rates on contracts etc. 24 = Statutory prohibitions are other Acts of parliament that can take precedence over the ATI Act eg: s.241 of the Federal Income Tax Act DISCRETIONARY 14 = eg: strategies of the federal government related to negotiations with a province 16(1)&(2) = eg: investigative report prepared by C & P regarding an ongoing illegal fishing case 17 = eg: violent individual that has access to information about a witness (very difficult section to prove) 18 = Economic Interests of Canada *21 = Advice and recommendations eg: options found in BN whereby a decision is yet to be made 22 = eg: questions on a competition that will be used again in future competitions 23 = eg: advice either sought or received from legal services / Justice 26 = eg: Audit report the department plans to post on the internet * We cannot apply section 21 to a report that was done by a consultant, as s.21 can only be applied to protect information INTERNAL decision making processes. The most commonly used exemptions in DFO are: 13, 14, 15, 16, 19, 20, 21 and 23.
8
Access to Information Act - Government Information should be available to the Public
Principle 1 Government Info should be available: - This right of access is applicable not just to records created by DFO employees, but also to any record we have in our possession or over which we have control - For example - If we receive an ATIP request for all records on computer purchases, then DFO must provide copies of not just the records we created but also copies of all other information - records, e-mail, etc that we received from any other source whether it be from other government departments, the province, third parties, stakeholders, Joe Public, to name a few. -ATIP as last resort : - The Access to Information Act was not created to replace or limit procedures that already exist to provide information to the general public. That is to say - if you have documents that you would readily give copies of - to anyone who asked (i.e. member of MEDIA), then there is no need to refer them to ATIP to obtain the document. Some examples might include minutes of public consultation meetings, notices to fishers, copies of guides or standards, etc. It was intended that ATIP be a last resort to obtain government information - after all other avenues have failed.
9
Example of a Request Form
10
ACCESS TO INFORMATION (ATIP)
REGIONAL PROCEDURES
The following are basic procedures to be followed by Pacific Region staff when responding to requests made under the Access to Information Act. RECEIPT OF ATIP REQUEST IN OTTAWA: When an Access to Information and Privacy (ATIP) request is received in the ATIP Secretariat in Ottawa, it immediately commences the clock ticking on a legislated thirty (30) calendar day response time. The request is assigned a Departmental Number by the ATIP Officer in Ottawa before being sent to the Pacific Region. Ex.: ATI 2007-0212/mc – “A” identifies that it is an Access Request; 2003 identifies the year in which it is received; “0212” is the sequential number assigned by the officer; “mc” identifies the officer who is assigned in Ottawa.
1) ATIP requests are sent by e-mail notification for retrieval of records to the Atip Advisor who in turn sends it to all program manager/staff who are responsible for the subject matter of the request.
2) ATIP requests must be treated on a priority basis. The Regional ATIP Advisor is responsible for setting the
deadline for the program to respond with the relevant records. It is important to note that the Department is responsible for completing the requests within the established deadlines as they are based on statutory requirements.
3) When you receive a request read the wording carefully. If you have any questions, contact the Regional ATIP
Advisor immediately to discuss. The 30-day time limit is legislated.
4) The program manager/staff will advise the Regional ATIP Advisor by e-mail if he/she has no involvement regarding the request or if another program has the information. If you have no records advise the ATIP Advisor by e-mail.
5) It is very important that you read and always complete the Access Request SEARCH FORM attached to all new
requests and forward within 48 hours to the Regional ATIP Advisor Muriel Kinnear (see copy of search form attached). Check to see if the request has been sent to more than one OPI (office of primary interest). If so, you must get back to the Atip Advisor as soon as possible with your search fee estimate as the form applies to the entire Region, cumulatively. Please fill in a search estimate form regardless of the time it takes you. Ensure the search form is prepared by someone with knowledge of the subject and the files. A search form should include estimates of the total search time to identify relevant records, number of relevant records and number of offices/files and other records to be searched through. Include an explanation for the number of search hours submitted. This is required in case the requestor complains to the Information Commissioner about the number of search hours he/she has been billed. Your explanation will be used to defend the Department on the number of hours of search billed. Review time and photocopy time are to be excluded from your estimates. The Atip Advisor will collect and tally them up and inform you accordingly. The applicant will have to confirm a willingness to pay for time in excess of 5 hours. The time clock on the 30 days will stop while requestor is being consulted on search fees. Program staff will be notified if and when the records are to be retrieved, copied and forwarded to the Regional ATIP Advisor for review.
6) Once you are directed to go ahead, gather all information. When photocopying documents please do not double side copies. Any double sided copies must be converted to one sided copies only. You are required to submit two duplicate sets of files to the Regional ATIP Advisor for processing. If you are unsure of its relevance, send it anyway. YOU DO NOT HAVE THE LEGAL RIGHT TO SEVER ANY INFORMATION. The ATIP Officer in Ottawa will review all information, referencing the ATIP Act, and he/she will determine if information can or should be removed. The program manager/staff must review the records and cannot withhold documents. For example solicitor-clients or sensitive information must be included in the package, (do not sever any part of the documents). Notify the ATIP secretariat, in writing, (see attached sample return memo) which is attached to all
11
new requests and flag (do not write directly on the records) any concerns regarding the disclosure of the information you are providing. If the information is already publicly available notify your superior and the Secretariat of any possible need for communications plans/media lines or briefing material for the possible release of the information. If the information flagged by the OPI is not struck from the final release to the requestor, the ATIP Officer in Ottawa will contact the Atip Advisor and advise that the information was released, and the reason for the release. The Atip Advisor will relay this information back to the relevant OPI(s) and the Regional Director, Communications.
7) You can request an extension to the deadline date for gathering the information requested, only if the documentation
requested is voluminous. Inform the Atip Advisor of your needs. Important things to remember when compiling your record response:
• Check to ensure that all attachments have been provided.
• Each individual OPI is to provide all of their records in response to a request even when numerous OPIs have identical documents. The Atip Secretariat in Ottawa will determine what constitutes a duplicate.
• E-mail records must be printed separately - there is to be no running on of e-mails. In other words, each individual e-
mail should be printed separately on its own page. (Problem are being encountered with different e-mails being printed on the same page that do not necessarily relate to the request.)
NOTE: All new ATIP requests received are sent to Terry Davis Regional Director Communications for review to
determine if a Communications plan/media lines is required.
ATIP information is located http://comm.info.pac.dfo.ca/atip/default.htm Additional ATIP Information is located
http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_121/siglist_e.html
http://www.dfo-mpo.gc.ca/atip-aiprp/index_e.htm
12
Quick Guide to Processing ATIP Requests
This guide is intended as a quick reference only.
1. Request received from ATIP Advisor. Read the wording of the request carefully. If you have any questions, contact the ATIP Advisor to discuss.
2. Determine whether you have any relevant records.
3. If you have no records relevant to the request, advise the ATIP Advisor Muriel Kinnear by e-mail
immediately.
4. If you know of another office/directorate/area/source that may have records relevant to the request, advise the ATIP Advisor Muriel Kinnear by e-mail.
5. If it has been determined that your area does hold records relevant to the request, calculate
approximately how much time it will take to do the search. A search estimate must be submitted for each request no matter how little of time you may have. Justification must be provided for the amount of all time submitted. Search estimate form is to be returned with in 48 hours to the Atip Advisor Muriel Kinnear.
6. Gather all records by searching through all record holdings, both electronic (such as E-mail and
MECTS) and hard copy. All efforts must be made to obtain the signed version of memos, letters and briefing notes. All records with attachments must be included. If unsure about the relevance of a record, send it anyway. The ATIP Officer in Ottawa will determine which records are relevant to the request. (Consultation with the requester may be necessary.)
7. Review all records carefully and identify which records (or parts thereof) you consider to be sensitive.
It is not necessary for you to identify which section of the Act may be applied, that is the responsibility of the ATIP Directorate. Please do not write directly on the documents; use sticky flags instead.
8. Any double sided copies must be converted to one sided copies only. Send all records in duplicate sets.
9. Complete the Return memo (attached to the original ATIP tasking E-mail) and provide it to ATIP
Advisor, along with the records and your recommendations. It is essential not only to identify sensitive records, but to indicate why the information is sensitive. Do not sever any part of the records.
10. Contact your Atip Advisor or Regional Communications Director when you feel communications
material is necessary due to sensitivities regarding the records. 11. Be prepared for ATIP to call for further discussion on review of the records
13
Quick List of Information for Protection under ATIP The following is a quick list of information that could possibly be protected under the Access to Information Act, and therefore should be identified when responding to an ATIP request.
1. Information Obtained in Confidence: • From the Government of a Foreign State; • From an International Organization of States; • From the Government of a Province; • From a Municipal or Regional Government.
2. Information which could be injurious to the conduct of federal-provincial affairs;
3. Information which could be injurious to the conduct of international affairs; the defense of Canada, or any
state allied with Canada.
4. Information relating to law enforcement and investigations;
5. Information which could reasonably be expected to threaten the safety of individuals;
6. Information relating to the economic interests of Canada;
7. Personal information (address, telephone number, SIN numbers, etc.);
8. Third party information (e.g. trade secrets, financial, commercial, scientific or technical information, etc.);
9. Information that contains advice or recommendations; an account of consultations or deliberations; positions or plans developed for the purpose of negotiations; plans relating to the management of personnel or the administration of a government institution. Section 21 of the Access to Information Act which relates to Operations of Government and in particular advice and recommendations. The main purpose of the section 21 exemptions is to protect the internal decision-making processes of government. And yes, section 21 is used a lot on briefing notes because they of course are a primary source of recommendations and advice. See act for more on 21 if required.
10. Information relating to testing or auditing, procedures or techniques.
11. Information that is subject to solicitor-client privilege.
12. Information that the institution believes on reasonable grounds that the material will be published within 90
days of the request. Information which can be excluded is as follows:
1. Information which is publicly available;
2. Confidences of the Queen’s Privy Council for Canada.
14
Example of Return Memo
MEMORANDUM NOTE DE SERVICE
Access to Information and Privacy
To À
Norma McLelland A/Director Coordinator Access to Information and Privacy
From De
Security Classification - Classification de sécurité
UNCLASSIFIED Our file - Notre référence
ATI- Your File - Votre référence
Date
Subject Object
REQUEST NUMBER: ATI-
I have no objections/concerns with the release of these records.
•
Com Act Act Em (Em (Em (Em
I have no objections/concerns with the release of these records EXCEPT for pages flagged, which should be withheld
because: (rationale must be provided to justify recommendation.)I recommend total exemption of all records for the following reasons:
Some examples of sensitive records: part of on-going investigation, solicitor-client privilege, scientific research awaiting publication, would affect on-going negotiations, cabinet confidences. munications plan required?
ual time spent searching.
ual time spent photocopying.
ployee Group and level.
ployee Signs) (Date) (Regional or Area Director Signs) (Date)
ployee Prints Name) (Regional or Area Director Prints Name)
ployee Prints Title) (Regional or Area Director Prints Title)
15
Definition of a Communications Plan Communications Plan: An ATIP communications plan is needed when an issue is deemed controversial (or when it may lead to a party going to the media because of the ATIP information released). A communications plan helps to ensure that DFO (regionally and nationally) is on the same page about an approach to a specific issue. The plan explains the issue and background information, identifies the key players (audience), outlines the steps or actions that DFO will take to address the issue, contains media lines, and identifies a spokesperson. The plan is a tool that is developed by Communications Branch, and then approved in the region, NHQ and by the Minister's office.
16
Definitions to Help You DEFINITION OF “OUTGOING CORRESPONDENCE” Generally, a letter which is leaving the department and going to an outside entity. Often memorandums are use for outgoing correspondence and they would be included in this definition. Any other article that meets the criteria of “outgoing” or leaving the department and “correspondence”, which generally means to communicate in writing and often implies a back and forth communication. This would include copies of e-mail which are leaving the department and faxes if the fax contains a “communication” (as opposed to simply transmitting something else). Any attachments or enclosures to the outgoing correspondence would generally form part of the correspondence. DEFINITION OF “MEMORANDA” Generally, a government memorandum which is being transmitted internally but includes internal e-mail and internal faxes. Any other article that meets the criteria of internal communications of a relatively formal nature. For example, a yellow sticky or transmittal slip might not be considered to be a memo but a circular or briefing note would be. Also, any attachments referred to in the memo would be considered part of the memo. DEFINITION OF A “ RECORD” A record is defined by the National Archives Act of Canada and, in addition to the regular paper based records, includes anything that contains information, such as video, audio tapes microfilm computer files and e-mail, voice mail, maps photographs, drawing notebooks or diagrams. GENERAL It is also important to ensure that you are reviewing actual correspondence or memos. Sometimes program staff will print the relevant items from their systems and provide them, but since they contain no dates nor signatures they would be considered drafts. It is very important to verify, before processing the records for a request, whether the applicant is seeking outgoing correspondence AND memos or just outgoing correspondence you would provide only with that which is required.
17
Definition of search estimate justification, Pacific Region Search time is the actual time it takes an individual to locate and identify a record as being relevant to the request The following may be of some help in clarifying on how to prepare an estimate of search time when estimating the time it will take to retrieve records responsive to a request. When preparing an estimate, take the following into account: 1. When deciding how long it will take to retrieve the relevant records, consider first how many files you have to look/search through, and how many pages (approximately) are in those files. Keep in mind that we can only charge for the search time it takes to locate/identify the relevant records. We cannot include in the search time estimate the time it takes to photocopy the records – that charge is built into the photocopying cost of 20 cents per page which is charged to the requestor. At this stage, prior to completing a review for exemptions, we do not know if perhaps half of the records might end up being withheld and thus they would not be photocopied for the requestor. 2. When deciding how long it will take you to retrieve the relevant records, determine how much straight working time it would take to identify and remove the relevant records from the files. This does not mean that you are to work full-time on the retrieval of the records. If it would take one full day to review the files and identify the relevant records, you do not have to pull the records out and send them to your ATIP Advisor in one day. If the retrieval involves a search for or through a large volume of records, we will take into account a situation where, due to other operational requirements, you cannot work full time only on the retrieval of the records. It is understood that you can only devote one or two hours per day to the retrieval of the records. An extension of time can be given retrieve the records. You must make this request to your Atip Advisor. 3. At this stage, all you should include in the estimate of search time is the number of hours it will take you to identify relevant records and send them to the Atip Advisor. The only amount of time that should be included in the estimate is the time taken to identify that a record is within the scope of the request and the time it takes to remove the records from the files. Do not include photocopying time.
A more detailed search estimate justification is now being required. If the justification does not reasonably explain the number of hours being charged, the estimate form will be returned for verification.
Examples by record type and filing format, 1) Electronic records – the search through these records can be completed using a `key word search`. The estimate for
this type of search cannot include the time it takes the computer to search nor the time it takes you to print the records located.
2) Email records – the same `key word search` may be used and the same criteria applies as above. 3) Hardcopy records – This type of record can exist in different formats dependant upon the operational requirements
of your sector. a)
b)
Records filed by subject matter ie) for Habitat Biologists; files are generally by proponent/project. Therefore, if the request is for all records on that particular project, the only search would be the time it takes you to open your filing cabinet and locate the file labelled `project x`. If the request is for portions of that file however, then the search required would be calculated on the basis of how thick the file is.
Records filed by type of record, ie) Briefing Notes – if the request is for particular subject(s) and your file is by date, you would have to search through the entire file to find relevant records. This would result in a search estimate based on the thickness of the file.
GUIDELINES: 12 inches or 30 cm of paper contains between 1,500 and 2,500 pages. It is estimated to take about 1 hour to search through 12 inches or (30 cm) of paper in order to determine which records are relevant.
18
RELEVANT RECORDS GUIDE Estimated Number of Relevant Records Guide: Example Approach # 1: To help make a determination on the number of estimated relevant records, the OPI should conduct a sample search. For instance, if you have 10 inches of records, select a sample of one inch. Review records to determine how many in the one inch are relevant. If there is one relevant record in the one inch, based on that ratio – in the 10 inches of records there may be 10 relevant records: 1 inch = 1 record 10 inches = 10 records (potentially). Example Approach # 2: If you have one filing cabinet drawer full of memos and you know that there is one memo in the drawer that is relevant, but that you would have to search the 12 inches of records to locate it – the number of potential relevant records would be one. Example of Justification which is required: Total search estimate time: 18 hrs. 6 notebooks approx. 2” thick ea. 12” paper (1 hr.) 4 ring binders approx. 3” thick ea. 12” paper (1 hr.) 60 current hard copy files 2” thick total 120” of paper (10 hrs.) 820 e-mails approx. (2 hrs.) 24” of loose filing. (2hrs.) 12 archive files 2” thick ea. 24 inches (2 hrs.) Example of when a search estimate would not apply: If you have a room full of files relating to one topic and a request was received for that specific topic the hours of search would be nil, as you know the location of the files and each file relates to the request. Things to keep in mind when filling out an estimate. Ensure it is prepared by someone with knowledge of the subject and the files. Should include total search time to identify relevant records. Provide an estimate number of relevant records. Number of records (offices/files) to be searched through. Do not include photocopying time in time of search. Do not include driving from one office to another to locate files - the time spent driving cannot be included. Do not include the time needed to ascertain what information is judged to be protected and flagged. Return search estimates within 48 hours to the Atip Advisor in your region. Once all search estimates are received and tallied, the first five free hours are subtracted from the estimate and written notice is then sent to the requestor asking for the amount required for the balance of hours. For every hour in excess of five hours the applicant is charged $10.00 dollars an hour.
19
The requestor has a right to complain to the Information Commissioner about the amount he/she is being charged. If and when a complaint is submitted to the office of the Information Commission regarding the amount of fees charged, our HQ ATIP Office needs to be in a position to defend those fees. We require as much justification as possible on the search forms since without this justification we cannot defend the Department’s position. If you have any further clarification or wish to discuss this matter, please do not hesitate to contact your ATIP Contact here in the Pacific Region.
20
Draft Documents The Treasury Board Guidelines state that “draft documents are considered institutional information holdings under the policy on the Management of Government Information Holdings.” Draft documents that must be kept - Drafts prepared in the process of making a decision or implementing a policy or other operation before the activity was completed and copies of drafts relating to such activities will be retained and filed where they are annotated or otherwise added to in a fashion which indicates the evolution of the document as it goes through the approval processes. - Drafts can be kept for historical efficiency and other purposes. It is good practice to retain documentation showing how and why the government chose to act in a certain way – to show what options were considered and what were rejected and why. Many times the only record of that process and those choices is in the form of various drafts and/or copies of drafts on which handwritten comments have been added. - Retaining these drafts for future reference (when faced with another similar situation of why we choice a particular course of action over all other options). Before destroying any drafts ask yourself the following questions about draft records: • Does it involve financial or legal matters or have policy, program procedure implications? • Does it provide a record of why or how decisions and actions were taken? • Does it provide information needed to account for activities? If the answer to any of the above questions is yes – then the document should be retained and disposed of only in accordance with the Policy on the Management of Government Information and the National Archives Act. Transitory - If only you have worked on the document and have not shared it with anyone. - If no significant changes have been made. If you have a draft document that you consider to be transitory in nature, and you are made aware that your department has received a formal Access to Information request, relating to this information, then you must not destroy the draft. Also, keep in mind that you must retain draft versions as official records when they document evidence of approval or the evolution of a document or where they indicate changes in policy, approach or recommendations.
21
Electronic Mail
Electronic Mail has become a major tool by which Public Service employees communicate among themselves. Once again, it is a technology which allows rapid transmission of information for interpersonal communications. It is used both as a means of formal communication and, in some circumstances, as the equivalent of informal verbal exchange. In this sense, electronic mail is no different than any other piece of information created or obtained by an institution in the carrying out of its business. Much of the information created in this way will have direct impact on the management of the institution and the various activities it carries out. This will vary from the simple call for a meeting with rough agenda to direction to prepare a major policy paper, some initial thoughts on how to proceed, or comments on a completed draft. This type of information should be filed as a record of the institution. Some messages will be ephemeral and may be equated with simple telephone messages. These may be discarded in accordance with appropriate disposal authorities approved by the National Archivist. When electronic mail has been copied to another filing system or forms part of the current directory and file for the actual electronic mail system then it would fall within the scope of a request. If a record exists when an access request is received, it is incumbent upon the institution to take reasonable measures to ensure that records relating to the subject of the request are not destroyed until the request has been completed, including any complaint or appeal process. Dockets transmitting access requests for processing should make clear that records relating to a request cannot be arbitrarily destroyed and that even where they may be scheduled for destruction under an approved schedule they should not be disposed of until the request (and subsequent complaint, if any) is fully processed, as personnel outside the Access Unit may not be aware of the requirement for retention in such circumstances.
22
IMRC - FMI: E-Mail Quick Reference Cards - Questions And Answers
This draft e-mail guidance in the form of Quick Reference Cards (Q's &A's) was developed by an interdepartmental working group. Various TBS policy centres have provided feedback and legal opinion is now being sought. The Q's &A's are generic, a quick "rule of thumb". Institutions may need to modify answers for their own specific situations. As this is an evolving guidance, we are seeking your feedback and additional Q's &A's that are non-institutional specific.
1. What is e-mail?
2. What do I need to know about sending an e-mail message?
3. In which official language must e-mails be sent for Service to the public?
4. In which official language must e-mails be sent within the federal government?
5. What e-mails should I keep?
6. Where should I file e-mail?
7. Who is responsible for saving Institutional e-mail?
8. Do I need to file my e-mail?
9. Where should contractors/consultants working for the GoC file their e-mail?
10. Which e-mail may I delete?
11. What should I consider about attachments to e-mail?
12. Does Access to Information legislation apply to deleted e-mail that has been copied to backup tapes?
13. Does Access to Information legislation apply to e-mail created on a personal Internet e-mail account, e.g., Hotmail, Yahoo, using GoC equipment?
14. Are GoC consultants/contractors' e-mail accounts subject to a GoC ATI request?
15. Who owns the information e-mailed by a consultant/contractor working for the GoC?
1. What is e-mail?
Any message, including attachments, sent or received electronically
Includes the "envelope" or mail header and the message content
Includes messages containing correspondence, meeting notices, tasks, etc.
Includes messages in text, voice files, pictures, spreadsheets, executable files, etc.
23
Includes messages sent or received in desktop systems, chat rooms, web sites, personal digital assistants (PDA's) etc.
2. What do I need to know about sending an e-mail message?
All e-mail messages must include:
The sender's name,
Institution,
Telephone and fax numbers with area code and extension numbers,
Postal and email addresses.
Where an e-mail address serves a program or service rather than an individual, contact information must include:
The institution's name,
Postal and e-mail address,
Telephone and fax numbers, and teletypewriter (TTY) number when applicable.
All e-mail messages must include the "Canada" word mark and institutional signature.
In general, e-mail should be sent in both official languages when the official language of recipient(s) is not known.
Depending on your e-mail security, in general "Protected C" and above should not be sent via e-mail. Example: Cabinet documents must not be sent via e-mail.
3. In which official language must e-mails be sent for Service to the public?
A. If the office must serve the public in both official languages:
Sending e-mail:
if the official language of the addressee(s) is known, in that official language, or otherwise in both official languages;
Responding to e-mail:
in the official language(s) of the addressee(s).
B. If the office serves the public in only one official language:
Sending e-mail:
if sending messages to its normal clientele use the official language which is the official language of the majority population of the province in which the office is located
Responding to e-mail:
if the message received is not in the official language in which the office serves the public, apply procedures used by the institution for replying to correspondence of this kind, whether received as e-mail or as a letter if a unilingual office sends an e-mail on behalf of a bilingual office the official languages obligations of the latter must be respected
24
4. In which official language must e-mails be sent within the federal government?
A. Initiating or responding to E-mails, from head office or an office from the NCR:
1. To all employees or to groups of employees in bilingual regions in language of work:
in both official languages
2. To individual employees or an office in a bilingual region for language or work:
in the official language of the actual addressee, if known, or otherwise in both official languages
3. To an employee or groups of employees in a unilingual region:
in the language of work of that region
if the head office of an institution, or any of its other offices in the NCR, adopts the approach of going beyond this requirement and sends e-mails in both official languages to one unilingual region, it must treat the other unilingual regions the same way
B. Special duties of offices of institutions having authority to direct, or provide services to, other institutions (e.g., TBS, PWGSC, Justice):
1. Initiating e-mails to, or responding to e-mails from, any employee or office:
in the official language of the correspondent, if known, or in both official languages.
C. Supervisors in bilingual regions for language of work sending e-mails:
1. General requirements in a bilingual position or in an either/or position
in the official language of choice of the person supervised
in the official language required by the position, if person supervised is in a unilingual position;
2. When sending e-mails to supervised employees whose required official language of work differs:
must respect the above as a minimum
may send e-mails in both official languages to everyone in work unit.
D. Persons in unilingual regions for language of work who supervise employees working in bilingual positions in bilingual regions:
send e-mail in the official language chosen by the person(s) supervised.
E. Persons supervising employees in a unilingual region for language of work:
send e-mails in the language of work of that region.
F. Initiating or responding to e-mails between persons working in unilingual regions whose language of work differs:
both sender and receiver have choice of official language in which to exchange messages.
25
5. What e-mails should I keep?
E-mails and/or attachments pertaining to the Institution's business, programs and services delivery activities, transactions and decision-making processes.
For example: Information that
Provides information about or evidence of what you and the institution have done, why it was done, who did it and what resulted.
Reflects the position or business of the institution
Initiates, authorizes or completes a business activity/ transaction
Documents/records a decision or action
Controls, supports, or documents program delivery
6. Where should I file e-mail?
E-mail should be filed in your institution's records, document, and information management system upon creation or receipt.
7. Who is responsible for saving Institutional e-mail?
The sender/originator - In the instance where you are the originator and you have created an e-mail message for response from one or several recipients, you must ensure that the original text and all responses that form the complete e-mail record are retained.
An e-mail recipient must retain any e-mail received from an external source that contains information that does not exist elsewhere in the institution. This also applies if the recipient is only cc'ed
Institutional e-mail contains information such as that pertaining to the institutes business, programs and services delivery activities, transactions and decision-making processes
8. Do I need to file my e-mail?
Yes. Messages that contain information created, received, acquired by or for the GoC in the course of doing business, program, and service delivery must be managed
Information in the GoC is subject to legislation, regulations and policies. These include, but not limited to, access to information, privacy, security, archival, library, official languages, internet and intranet management, and institutional legislation, regulation and policy.
9. Where should contractors/consultants working for the GoC file their e-mail?
E-mail and attachments produced and/or collected under contract should be filed in the institution's electronic information management system and in keeping with the organization's established processes and procedures.
Institutions need to ensure contractor/consultants working both off-site and on-site are aware of their responsibility to file e-mail and attachments produced and/or collected under contract.
26
Institutions need to make arrangements with the contractor for the handover and filing of the e-mail
10. Which e-mail may I delete?
E-mail and attachments which are not related to the business, program and service delivery of the GoC -- related to views and opinions not reflected in the course of employment
E-mail not pertaining to business activities, transactions and decision-making processes, e.g. duplicates, casual communications, information from automated distribution services, current awareness information received by e-mail from external sources e.g. media clips, information from listservs, and updates from personalized WebSites, commercial messages, spam etc.
NOTE: You must not delete any e-mail or documents once an access to information (ATIP) request relating to the subject is received.
11. What should I consider about attachments to e-mail?
Does the recipient have the software to read the attachment?
Is the size of the attachment reasonable?
Restrictions on attaching security classified documents.
Security classified documents must not be sent over the Internet i.e. Cabinet documents.
12. Does Access to Information legislation apply to deleted e-mail that has been copied to backup tapes?
Yes. But, departments as a rule do not search their backup tapes for records unless specifically requested to do so, or required to do so by the Information Commissioner as part of a complaint investigation.
Depending on the department, deleted items may reside on backup tapes, which are retained for different periods of time. In most cases, backup tapes are re-used or erased and then the information may not be available.
13. Does Access to Information legislation apply to e-mail created on a personal Internet e-mail account, e.g., Hotmail, Yahoo, using GoC equipment?
Yes. However, certain personal messages may be exempted from access. Your Institutional Access to Information and Privacy Office will provide guidance.
14. Are GoC consultants/contractors' e-mail accounts subject to a GoC ATI request?
Yes, for the information relating to or produced in accord with the terms of the contract or MOU with the GoC.
15. Who owns the information e-mailed by a consultant/contractor working for the GoC?
Ownership of the information will be defined in the MOU or contract agreement between the contractor and GoC.
27
E-Mail Retention Policy
Can we delete e-mails? “No, under section 67.1 of the Access to Information Act, it is a criminal offence to conceal, falsify alter or destroy government records. In all government operations there are a variety of records that are transitory in the sense that they are required only for a short period of time to ensure the completion of a routine action or the preparation of a subsequent record. These short-lived records are not essential in documenting the conduct of a department’s business and they can therefore be destroyed – this includes email messages. However, before destroying any record including email, ask yourself the following questions:
� Does it involve financial or legal matters or have policy, program or procedure implications?
� Does it provide a record of why or how decisions and actions were taken?
� Does it provide information needed to account for activities? If the answer to any of these is yes, then you are not dealing with a transitory record. The information must be retained and only disposed of in accordance with the Management of Government Information Policy and the National Archives Act. Remember, however, that once an ATIP request has been received, records usually considered transitory must not be deleted -- they then become records relevant to the request and must be provided to the ATIP office. The short answer to the question is that “it depends” – if the answer to the above three questions was no then there should be no problem with the destruction of that email. It is only when the email is considered to be an official record (the answer to any one of the questions was yes) that the email must be kept and only disposed of in accordance with the proper records management practices. In addition, please note that section 67.1 only applies if there is a deliberate intention to thwart access to records. The offence cannot be committed however when an employee is simply following the rules pertaining to proper records management and disposal.
28
Extensions Section 9 of the ACT allows the department to extend the due date of a request for the following reasons:
• if the request is for a large number of records or necessitates a search through a large number of records and
meeting the original time limit would unreasonably interfere with operations of the institution.
• In order to conduct consultations with other government institutions
• In order to conduct consultations with third parties
In order for ATIP to take an extension under the Act, especially those relating to consultations, we must be in possession of at least one record on which we can take an extension and send out as part of the consultation process. Therefore if your retrieval of records is going to take you a while, communicate with the analyst via your ATIP contact. Let them know the types of records you have retrieved thus far and if there are any other government or third party records among those you have already pulled. The analyst can then get a copy of one or two of those records from you by fax, take legitimate extensions within the first 30 days, and that then buys you and us additional time to properly complete the processing of the file without busting any legislated deadlines.
29
Frequently asked Questions and Answers - ATIP 1) Flagging pages for which the OPI has concern is very time consuming.
a) If some pages aren't flagged (if they get missed in the process), will Ottawa Atip find them and bring them to your
attention? ATIP analysts are not subject matter experts and they rely heavily on the recommendations provided by the programs. If no recommendations or inadequate recommendations are provided it is assumed the program has no objections to release of the records. It is the responsibility of the Regional Director, Area Director and the Pacific Assistant Commissioner CCG signing off on the package to ensure that all concerns are noted. ATIP does closely review the package for mandatory exemptions such as personal information and excluded material such as Cabinet Confidences. If however, we have material which falls under a discretionary exemption (meaning the department can choose to release the material even though technically it qualifies for an exemption), then if the program has not flagged any concerns, we will release the information. If, however, the Atip Officer happens to be aware of the sensitivity of a particular subject, we would most likely go back to the program to question the fact that no concerns were flagged by the program; or if we glean from reading the file that there may be issues (legal, political, federal / provincial, etc) resulting from release of the material – then the Atip Officer would again go back to the program and double check to ensure there are no concerns with release of the material, if the decision is made to release the information, the Atip Officer would ensure that communications material was prepared. Reminder, Please do not write directly on the records you are providing. Flag with stickies Only. b) If pages are flagged and the OPI has pointed out their concerns, is there a chance that those records will get released
anyway?
If OPIs flag documents/information as sensitive it is the policy of the Atip Secretatiat to go back to the OPI if we do not feel that the information can be protected. This is to be done by the analyst before release of the information to the applicant. 2) What happens to documents that have 3rd party information on them? (documents originated somewhere other than
the OPI - for example: another Department; another Country) Does the OPI have to flag these pages, or will the Atip Officer find them as they go through the records?
It is our policy to try to obtain an answer from OGD's, etc before we respond however, consultations are not "required" under the Acts. The Treasury Board Guidelines on the legislation does recommend consultations in certain circumstances however, it is the decision of the Atip Coordinator whether information is withheld or released, with or without having received a response to any consultations undertaken. It is important for the OPI to flag weather the third party document is sensitive especially if it’s not apparent from the document itself, documents provided in confidence to the department documents, relating to negotiations the department is currently involved in, documents relating to any kind of ongoing lawful investigation, etc. Please put notes on those kind of third party documents for the ATIP analysts. Also flag any and all background or contextual information is for
e analyst to be able to properly review the file and protect the sensitive information appropriately. th 3) How long are we required to save/file e-mails? It would depend on the subject of the e-mail. This is a record management issue. Please contact Regional Supervisor Records Management (Pierre Bourassa) for a response on retention and disposal periods.
30
4) Someone has said that he has so many e-mails filed in archive folders, that he's received messages from IT in the past
to 'clean out the drive'. Any advice on how he's supposed to do this while at the same time retaining his documents for the required retention period.
The majority of Email are records just the same as memorandum, letters or briefing notes, etc. Emails are a record of the workings and decision-making process of this department. They must be retained in some form - either electronically or in paper form. You might want to discuss with records management best records keeping practices. Again, I would suggest to contact Regional Supervisor Records Manager (Pierre Bourassa). One idea is to burn all your emails on a CD, and file by year. 5) If a person is only cc'd on an e-mail, does he/she have to provide it as a record? If you receive a request that the subject of the e-mail relates to, yes it has to be provided. 6) Deadlines - is it possible to extend the time period that is allotted to the Atip process? Yes, as stated in our procedures for the Pacific Region, we can extend only if the documentation requested is voluminous. When searching a large volume of records first look for 3rd party information and forward to the Atip Advisor ASAP. A request for an extension can be made on the basis of 3rd party information. 7) Search Estimate - It's tough to provide a search estimate sometimes, since the person might not know how many boxes would need to be retrieved from Archives. Please keep in mind a search estimate is only for the actual time that you will spend searching for the relevant records. Consider first how many files you have to search through and how many pages approximately are in those files. Also consider how many offices have to be searched; how many office filing cabinets, email accounts, are there records in storage in the building, offsite are there records burned on CD's etc. Keeping orderly files can assist in searches. See under procedures Search Time Estimate Definition.
31
HTML Format Rich Text All staff who are now using MECTS (document tracking system) should also be searching for records within MECTS for relevant material in response to ATIP requests. Any signed versions of records are to be included. E-mail messages that have been printed in HTML format do not show icons for attachments. It is often unclear whether attachments exist in this format. Please change your e-mail default format from HTML to Rich Text. In order to prevent e-mail strings, check to see if the box stating "start each item on a new page" on the print screen has been checked. The check mark will ensure that each new email is printed on a separate page. The ATIP office in Ottawa will not accept a record response that includes e-mail strings it will be returned for correction. I have attached a couple of visual aids that display the proper print format window which will correct these problems.
32
Instructions to change e-mail default format from HTML to Rich Text:
1. Go to Tools 2. Choose options 3. Choose Mail Format Tab 4. From first drop down list, choose Rich Text 5. Press “Apply button”
33
In order to prevent e-mail strings, when selecting more than 1 e-mail to print, please ensure check box below:
Start each item on a new page
34
Records Management – Official Records
-Anything that you create and/or receive while working in your capacity as a government official is an OFFICIAL RECORD. While Access to Information deals with ALL RECORDS held by an institution (DFO), records management pertains mostly to OFFICIAL RECORDS. What Official Records Must You Keep?
-Official Records (paper or electronic): -Include Draft Documents -Reflect DFO position(s) or business -Initiate, authorize or complete a business transaction -Original messages of policies and directives -External source messages that are part of a departmental record -Copies containing more or less than the original record -Work schedules; assignments; minutes of meetings; briefing notes; final reports; and recommendations -When you change jobs / leave the Department, your OFFICIAL RECORDS must stay with the institution (including black book and palm pilot data, etc). -Originators of OFFICIAL RECORDS are responsible for keeping anything that they distribute (ie. E-mails that they send). What Records can you destroy?
-TRANSITORY RECORDS, once no longer needed -Drafts that do not show evolution of a document -EXACT duplicate copies; copies for reference info. -Messages in a form used for casual conversation. -Notices of Employee meetings, holidays, etc. -DO NOT destroy any records, even transitory ones, related to an active ATIP request. Even if a record is due to be destroyed in accordance with an official retention schedule, once an ATIP request has been received for that record, it cannot be destroyed for at least 2 years AFTER the ATIP file is complete.
35
Example of a Search Estimate Form
MEMORANDUM NOTE DE SERVICE
Access to Information and Privacy
To À
Norma McLelland A/Director/Coordinator Access to Information and Privacy
From De
Security Classification - Classification de sécurité
Our file - Notre référence
ATI- Your File - Votre référence
Date
Subject Object
SEARCH ESTIMATE FORM PACIFIC REGION
SEE ATTACHMENTS A & B FOR GUIDELINES WHEN COMPLETING THIS FORM • Justification must be provided for all search time submitted. Request Number: Estimate of Time for Search: Estimate Number of Records to be searched through: Justification: • Time Spent Photocopying is not to be included in the estimate.
• To assist you in making a time estimate, the following guidelines have been established:
• 12 inches or 30 cm of paper contains between 1,500 and 2,500 pages. • It is estimated to take about 1 hour to search through 12 inches or 30 cm. Of paper in order to determine
which records are relevant.
36
37
a)
b)
ATTACHMENT A Search Estimate
Search time is the actual time it takes an individual to locate and identify a record as being relevant to the request. Examples by record type and filing format,
4) Electronic records – the search through these records can be completed using a `key word search`. The estimate for this types of search cannot include the time it takes the computer to search nor the time it takes you to print the records located.
5) Email records – the same `key word search` may be used and the same criteria applies as above. 6) Hardcopy records – This type of record can exist in different formats dependant upon the operational requirements of
your sector.
records filed by subject matter ie) for Habitat Biologists; files are generally by proponent/project. Therefore, if the request is for all records on that particular project, the only search would be the time it takes you to open your filing cabinet and locate the file labelled `project x`. If the request is for portions of that file however, then the search required would be calculated on the basis of how thick the file is
records filed by type of record, ie) Briefing Notes – if the request is for particular subject(s) and your file is by
date, you would have to search through the entire file to find relevant records. This would result in a search estimate based on the thickness of the file.
38
ATTACHMENT B
Relevant Records Guide
Estimated Number of Relevant Records Guide: Example Approach # 1: To help make a determination on the number of estimated relevant records, the OPI should conduct a sample search. For instance if you have 10 inches of records, select a sample of 1 inch. Review records to determine how many in the 1 inch are relevant. If there is 1 relevant record in the one inch, based on that ratio – in the 10 inches of records there may be 10 relevant records: 1 inch = 1 record 10 inches = 10 records (potentially). Example Approach # 2: If you have one filing cabinet drawer full of memos and you know that there is one memo in the drawer is relevant, but that you would have to search the 12 inches of records to locate it – the number of potential relevant records would be 1.
39
Transitory Records
Copied from TB Guidelines
Transitory records In all government operations there are a variety of records that are transitory in the sense that they are required only for a short time to ensure the completion of a routine action or the preparation of a subsequent record. These short-lived records are not essential in documenting the initiation or conduct of a government institution's business. Examples are the telephone inquiry slip used simply to forward a message, draft documents reflecting initial thoughts before a document is shared with anyone beyond the Public Service employee creating it, or unannotated copies of documents used for information or reference purposes, the originals of which are included in departmental records. Similar situations arise with electronic documents such as early drafts and short-lived electronic mail. A simple rule of thumb to use in identifying a transitory record is to ask yourself whether the record is used either to initiate or continue a departmental activity, provides comments on an activity under way which requires administrative action, or requests an opinion on an activity of interest to the institution. If the answer to any part of this question is yes, you are not dealing with a transitory record. Transitory records also exist in data processing environments where input/source records, intermediate input/output records, valid transaction files, system audit records, test records, and print files may be deleted in accordance with system design specifications. All these transitory records have limited value to the institution and should either be disposed of at the discretion of the individual creating them or by automatic default in automated systems. However, if they have not been disposed of before a request is received to which they may be pertinent then they fall under the Act and, according to the law, must be dealt with as part of the request. Transitory Records • Routine: memos to all staff, notices for holidays, personal messages like “lets have lunch”; and unsolicited
advertising materials • Relating to an employee’s personal life or activities • Working draft of documents before they circulated for comment • Does it involve financial or legal matters or have policy, program or procedures implications? • Does it provide a record why or how decisions and actions were taken? • Does it provide information needed to account for activities? Transitory • If only you have worked on the document • If no significant changes have been made
40
Privacy Act
What is the Privacy Act? The Privacy Act came into force in 1983 and provides the individual with the right to access personal information which the government of Canada holds about them. The Act defines collection, retention and disposal of personal information. Who has access? Every individual who is a Canadian Citizen or a permanent resident within the meaning of the Immigration Act has a right to access their own information.
What is considered personal
information under the Privacy Act?:
Information about an identifiable individual that is
recorded in any form including but not restricted to: • race, national or ethnic origin, colour, religion, age or
marital status, • education, medical, criminal, employment history, • any identifying number, address, fingerprints, blood
type • the views or opinions of another individual about the
individual, • correspondence about individual sent to government
that is private or confidential in nature.
What is NOT considered personal information under the Privacy Act?
• information pertaining to positions or duties of
federal public servants including classification, salary range, responsibilities of position held by individuals,
• information pertaining to services performed under
contract, • discretionary benefits of a financial nature • information pertaining to an individual who has been
deceased + 20 yrs.
What should we know about the Collection of Personal Information by a Government Institution?
• Limit the collection of personal information to the minimum
details needed to operate programs or activities. • Collect the information, whenever possible, directly from the
person concerned. • Tell the person why the information is being collected and
how it will be used. • Do not use the information for other purposes, unless allowed
by law. • Keep the information for long enough to allow the person a
reasonable opportunity to obtain access. • Ensure the information is as accurate, up-to-date and
complete as possible. • Do not disclose personal information unless specifically
allowed by the Privacy Act or another law.
Your Responsibilities under the Privacy Act as a DFO Employee:
• Ensure that the above-referenced responsibilities are
complied with. • In response to Privacy requests, employees are required to
provide all relevant information in their possession that responds to the subject matter of the request.
• Responsible to ensure that deadlines for requests are met.
• Responsible to provide comments and recommendations regarding disclosure of records.
For further information on the Privacy Act:
Contact your Atip Advisor, ATIP Telephone: (604) – 775-7830 http://www.dfo-mpo.gc.ca/atip-aiprp/index_e.htm
FACTS:
In its day-to-day operations, the federal government collects personal information from almost ALL Canadians. The Privacy Act protects your personal information and gives you the right to see it. DID YOU KNOW?
• There is no charge to apply for information under the Privacy Act.
• The government can only disclose your information to someone else with your consent or when one or more of the criteria in the Privacy Act are met – such as complying with a subpoena.
• The Privacy Act and the Access to Information Act are the rights of all individuals/citizens of
Canada (as defined in these acts) - including YOU.
You, as a DFO employee and a citizen of Canada, have the right to access your personal information - within DFO and other government institutions.
You, as a DFO employee and a citizen of Canada, have the right to put in Access requests for information within DFO and other government institutions.
41
Example of a Privacy Act Form
42
Info Source Publications
About Info Source
Info Source is a series of publications containing information about the Government of Canada, its organization and information holdings. It supports the government's policy to explain and promote open and accessible information regarding its activities. It is a key reference tool to assist members of the public in exercising their rights under the Access to Information Act and the Privacy Act.
Treasury Board is also responsible for the annual publication of an index of personal information that will both serve to keep the public information of how the government handles personal information, as well as facilitating the public's ability to exercise its rights under the Privacy Act. Treasury Board Secretariat fulfils these requirements through the annual publication of Info Source that is comprised of the following publications:
Info Source is distributed to libraries, municipal offices and federal government offices across Canada.
Info Source is comprised of the following publications:
Sources of Federal Government Information: This publication describes the organization and information holdings of all federal government institutions subject to the Access to Information Act and/or the Privacy Act.
• helps individuals determine which institution to contact about requesting information formally or informally.
• provides individuals who are not, and who have never been employees of the federal government, with relevant information to facilitate access to personal information about them held by a federal government institution subject to the Privacy Act.
Sources of Federal Employee Information: This publication lists personal information banks on federal employees for all government institutions subject to the Privacy Act.
• contains information to help current and former federal government employees to locate personal information held by the government.
• is intended to help former and current government employees to exercise their rights under the Privacy Act
Directory of Federal Government Enquiry Points: This publication is intended for use by the public and by public service employees. It contains one section entitled "Federal Government Enquiry Points" which lists contact information for federal departments and agencies.
• contains addresses and telephone numbers for federal departments and agencies subject to the Access to Information Act and/or the Privacy Act.
• Other institutions associated with the federal government are included to facilitate access.
Access to Information Act and Privacy Act Bulletin: This annual Info Source bulletin contains summaries of federal court cases and statistics of requests made under the Access to Information Act and the Privacy Act.
• provides statistical information about the number of Access to Information and Privacy requests on an annual basis and cumulative statistics since 1983.
• contains a summary of federal court cases related to Access to Information
43
This Info Source publication has three main components:
1. Introduction The Introduction includes:
• a summary of the roles and responsibilities of the federal government institutions that are either responsible for the production of Info Source or are responsible for the provision of input to the Info Source publications;
• some essential points about the Access to Information Act and the Privacy Act and directions on how to locate information by using Info Source or by making a formal request under either Act.
• contact information if you wish to obtain a copy of any of the Info Source publications
• a listing of those institutions for which Access to Information Requests must be accompanied by cheques or money orders made out to the institution itself and not to the Receiver General of Canada
• information about the terms used throughout the book, including the description of the Standard Program Records and
• a listing of Access to Information and Privacy Coordinators, which is organized in the same order as the Table of Contents, gives you the address and telephone number of all Access to Information and Privacy offices.
2. Standard Program Records and Personal Information Banks
Standard Program Records: There is some information that is almost universally collected and maintained by federal institutions in their record keeping systems in support of common functions and activities. This information is used to document internal administrative functions, systems and procedures. They describe information related to Human Resources, Material Management, Corporate Services, etc.
A number of standard program records and related descriptions have been established by Treasury Board Secretariat and are included in this publication. Institutions may declare one or more of these standard records, rather than develop institution-specific record descriptions.
Standard Personal Information Banks: Standardized descriptions of personal information have been developed by Treasury Board to describe personal information that may be found in records commonly maintained by federal institutions and are included in this publication. Institutions may choose to register and declare one or more of these standard Personal Information Banks rather than develop institution-specific PIBs.
3. Chapters There is one chapter for each federal government department or agency subject to the Access to Information Act and the Privacy Act, or to the Privacy Act only. Chapters are arranged in alphabetical order by the commonly used name of the institution. Each chapter contains the following (please note that institutions that are not subject to the Access to Information Act do not have to include these elements. Their reporting requirements are limited to Personal Information Banks):
General Information about the institution, including:
Background
Responsibilities
Legislation
Organization
44
Information Holdings including:
Program Records
Standard Program Records
Personal Information Banks
Standard Personal Information Banks
Classes of Personal Information
Manuals
Additional Information including:
The name of the institution to which any payment should be made if the institution does not have an account with the Receiver General of Canada;
The address of a central information source, as well as regional locations, if any; and
The address(es) of Reading Room(s).
Using Info Source quickly and effectively
Determine the correct chapter Turn to the chapter of the department or agency you think has the information, and check the Program Records and the Personal Information Banks.
If you don't know if you have the correct department or agency, a telephone call or letter to any Access to Information and Privacy Coordinator's office should provide the answer.
For persons with disabilities Individuals who are unable to exercise their rights using regular procedures may obtain further assistance from any Access to Information and Privacy Coordinator's office.
Responsibilities of Individual Institutions
Government institutions are required to provide their information to Treasury Board Secretariat on an annual basis. This information is utilized in the production of the publications required by the Access to Information Act and Privacy Act. Consequently, each department and agency is responsible for the information it submits.
For more information on Info Source see Web site http://www.infosource.gc.ca
45
Personal Information and Protection of Electronic Documents Act - (PIPEDA)
All personal information under the control of federal government institutions is subject to the Privacy Act. The PIPEDA (Personal Information and Protection of Electronic Documents Act) is a law which sets out the ground rules for the collection, use and disclosure of personal information in the course of commercial activities. It balances an individual's right to privacy with an organization's need for personal information for legitimate business purposes.
The PIPED Act has been coming into effect in stages. Beginning on January 1, 2001, the Act has applied to personal information about customers and employees in the federally-regulated sector in the course of commercial activities - organizations and sectors such as airlines, banking, broadcasting, telecommunications and transportation. It has also applied to information sold across provincial and territorial boundaries.
Beginning on January 1, 2002, the Act has also applied to personal health information collected, used and disclosed by the organizations covered in the first phase.
Starting January 1, 2004, the PIPED Act applies to all personal information collected, used or disclosed in the course of commercial activities by all private sector organizations except in provinces which have enacted legislation that is deemed to be substantially similar to the federal law. To date, British Columbia, Alberta and Quebec are the only provinces with legislation that has been deemed substantially similar.
The Personal Information Protection and Electronic Documents Act
The Act - choose one version below.
The official version of the Act that was updated to August 31, 2004 from the Department of Justice of Canada Web site. Full document for printing
Please note that there is an error in paragraph 7(3)(d) of the Personal Information Protection and Electronic Documents Act (PIPEDA) which appears on the Department of Justice Web site (English version only). It is un amended and should read:
"(3)For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is
(d) made on the initiative of the organization to an investigative body, a government institution or part of a government institution and the organization
(i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or
(ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;"
The official version of the Act that received Royal Assent on April 13, 2000 from the House of Commons Web site. Must be downloaded in several sections. (Print format in PDF)
Implementation Schedule
Implementation Schedule - The Act is being implemented in three stages, from January 1, 2001 to January 1, 2004.
Regulations
Regulations - Specifying publicly available information, investigative bodies and also an Order Binding Certain Agents of Her Majesty for the Purposes of Part 1 of the Personal Information Protection and Electronic Documents Act have been published in Part 2 of the Canada Gazette
46
Privacy Principles
The Privacy Principles - A list of fair information principles developed by the Canadian Standards Association that have been incorporated into the Personal Information Protection and Electronic Documents Act.
Fact Sheet
Privacy Legislation in Canada
Discussion Paper
Industry Canada has commissioned a research paper on Regulations Specifying Publicly Available Information, by the firm of McCarthy Tétrault. (This requires Adobe Acrobat Reader)
Guides
Your Privacy Rights: A Guide for Individuals to the Personal Information Protection and Electronic Documents Act. (PDF)
Your Privacy Responsibilities: A Guide for Businesses and Organizations to the Personal Information Protection and Electronic Documents Act. (PDF)
Reference
Backgrounder: The Personal Information Protection and Electronic Documents Act
Primer on C-6 - A summary of the key provisions of the Act prepared by Industry Canada.
The International Evolution of Data Protection - Prepared by Industry Canada.
The Protection of Personal Information and the Provinces - Prepared by Industry Canada.
The Protection of Personal Information in Quebec - Prepared by Industry Canada.
Privacy Initiatives for the Younger Generation - Prepared by Industry Canada.
A Guide to Bill C-6 - An outline of the Personal Information Protection and Electronic Documents Act as of April 15, 1999 ((does not include all amendments) by privacy consultant Murray Long.
PIPEDA Website: http://comm.info.pac.dfo.ca/atip/pipeda.htm
For further information.
http://www.privcom.gc.ca/legislation/02_06_02a_e.asp
http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_121/siglist_e.html http://www.dfo-mpo.gc.ca/atip-aiprp/index_e.htm
47
Personal Information is Defined in the Privacy Act
"personal information" means information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing,
(a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual,
(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
(c) any identifying number, symbol or other particular assigned to the individual,
(d) the address, fingerprints or blood type of the individual,
(e) the personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations,
(f) correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence,
(g) the views or opinions of another individual about the individual,
(h) the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution or a part of an institution referred to in paragraph (e), but excluding the name of the other individual where it appears with the views or opinions of the other individual, and
(i) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual,
48
Privacy Impact Assessment Policy – PIA’s Institutions must initiate and define the scope of the Privacy Impact Assessments in the early stages of the design or re-design of a program or service so as to influence the developmental process. If the proposal involves:
• a new or increased collection, use or disclosure of personal information, with or without the consent of individuals;
• a broadening of target populations;
• a shift from direct to indirect collection of personal information;
• an expansion of personal information collection for purposes of program integration, program administration or program eligibility;
• new data matching or increased sharing of personal information between programs or across institutions, jurisdictions or sectors;
• development of or a new or extended use of common personal identifiers;
• significant changes to the business processes or systems that affect the physical or logical separation of personal information or the security mechanisms used to manage and control access to personal information; or
• the contracting out or devolution of a program or service to another level of government or the private sector;
• Policy Objective • “To assure Canadians that privacy principles are being taken into account when there are proposals for, and
during the design, implementation and evolution of programs and services that raise privacy issues by • Prescribing the development and maintenance of Privacy Impact Assessments, and • Routinely communicating the results to the OPC and Public • What Does This Mean?
• Institutions MUST review their legislation and policies to see if they are meeting privacy and information
management compliance requirements • This review must be done in accordance with departmental privacy policies • Impact on InfoSource and PIB’s • Impact on information management guidelines, inventories, classification systems, retention schedules, security
etc • PIA’s must be done…
o For all new programs or services that raise privacy issues o For existing programs and services that are undergoing substantial re-design o For existing programs and services moving to an electronic delivery channel o Any other existing program or service where there may have been privacy issues not previously
addressed o A new or increased collection, use or disclosure without consent o A broadening of target populations o From direct to indirect collections o Expansion of personal information collected for program integration, program administration or
program eligibility o New data matching o New or extended use of identifiers o Changes effecting physical or logical separation of personal information or security mechanisms
49
o Contracting out or devolving programs or services
• Who Does What? • Heads are responsible for:
o Ensuring that their institutions comply with Privacy Act and Regulations • Deputy Heads are responsible for:
o Promoting awareness of requirements of this policy o Ensuring that the process and tools are rigorous o Establishing a process for consulting with the OPC o Making summaries public
• Departmental staff are responsible for: o Determining the need for conducting PIA’s o Collaborating with appropriate staff
• Treasury Board Secretariat: o Interprets policy o Provides advice o Develops guidelines to assist in implementation o Monitors compliance o Will conduct a comprehensive review in five years
• Doing PIA’s
o Preliminary PIA’s o Identify types and volumes of personal information o Verify legislative and policy authorities o Establish roles, responsibilities; legal and policy status of stakeholders o Identifying primary privacy risk o Initiating contact with OPC o Defining scope of final PIA
o Business Model o Who is doing what to who, when, why and for how long? o Why are they doing it? o Are they allowed to do it? o How are they going to do it? o Where are they going to do it? o With what are they going to do it? o Who is helping them to do it?
50
Frequently Asked Questions regarding PIAs:
What is the PIA Policy, and why was it developed?
The Privacy Impact Assessment (PIA) Policy enhances the government's implementation of the federal Privacy Act by providing federal departments and agencies with a consistent framework to identify and resolve privacy issues during the design or re-design of programs and services. The Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks will assist institutions in conducting assessments.
While the PIA Policy is new, federal departments and agencies already conduct assessments and take steps to ensure the protection of Canadians' privacy in transactions with the government. The PIA Policy was developed to help federal departments and agencies better provide Canadians with assurance that their privacy is protected when they deal with the Government of Canada, whether they transmit their personal information in-person, by telephone, by mail or on-line. This will be accomplished by documenting, publishing and maintaining PIAs for all programs and services where privacy issues may be inherent.
This is the first time a national government has made conducting PIAs a matter of official policy. By taking a leadership role in privacy management, the Government of Canada reaffirms its commitment to privacy and its role as custodian of personal information. Privacy protection is vital to the success of the Government On-Line initiative.
What legislation supports the PIA policy?
The PIA Policy, developed with input from the Office of the Privacy Commissioner, is based on privacy principles outlined in the Privacy Act. The Privacy Commissioner has publicly endorsed PIAs as a means of ensuring the protection of Canadians' personal information.
The Privacy Act sets out roles and obligations for departments and the Treasury Board of Canada Secretariat is responsible to guide departments and agencies on how they apply the principles contained within the Act. The Office of the Privacy Commissioner has the mandate to investigate and respond to complaints related to the Act.
Link to Privacy Act on Department of Justice web site: http://laws.justice.gc.ca/en/P-21/index.html
Under what circumstances must a PIA be developed?
Departments and agencies must conduct PIAs for proposals for all new programs and services that raise privacy issues. For programs and services implemented prior to this policy, institutions must undertake assessments if they are substantially re-designing them; changing the way they are delivered; or transforming them for electronic service delivery in a manner that affects the collection, use or disclosure of personal information.
Institutions must initiate and define the scope of the PIAs in the early stages of the design or re-design of a program or service so as to influence the developmental process. If the proposal involves any of the following, a Privacy Impact Assessment is required:
a new or increased collection, use or disclosure of personal information, with or without the consent of individuals;
a broadening of target populations;
a shift from direct to indirect collection of personal information;
an expansion of personal information collection for purposes of program integration, program administration or program eligibility;
new data matching or increased sharing of personal information between programs or across institutions, jurisdictions or sectors;
development of or a new or extended use of common personal identifiers;
51
significant changes to the business processes or systems that affect the physical or logical separation of personal information or the security mechanisms used to manage and control access to personal information; or
52
the contracting out or devolution of a program or service to another level of government or the private sector.
How will departments apply the PIA Policy?
Detailed criteria on conducting a PIA is contained in the Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks. These guidelines provide a step-by-step approach to the assessment process. The steps include project initiation, data flow analysis, privacy analysis and preparing the Privacy Impact Assessment Report. Where programs and services involve cross-jurisdictional or cross-sectoral activities, PIAs assist institutions in identifying the requirements of the various legislations and ensure that the provisions of federal legislation and policies are respected.
Treasury Board of Canada Secretariat is also providing support to departments and agencies through a number of information sessions and workshops. Other planned support includes templates, the development of best practices, an independent PIA expert and an e-learning tool.
How will the PIA Policy be enforced?
Treasury Board Secretariat (TBS) will monitor compliance with the PIA Policy in the context of the government-wide policies and guidelines pertaining to all aspects of project management. TBS will undertake a comprehensive review of the provisions and operation of the policy within five years of its coming into effect.
Are PIAs new?
PIAs have been used as far back as the 1970s. They have more recently been used in the U.S., New Zealand, Hong Kong and elsewhere. Several Canadian provinces have also adopted PIAs. While the PIA Policy is new, federal departments and agencies already conduct assessments and take steps to ensure the protection of Canadians' privacy in transactions with the government. This policy makes it mandatory for all federal departments and agencies to document, publish and maintain PIAs for all programs and services where privacy risks may be inherent.
Are PIAs made public?
Institutions must make summaries of the results of their PIAs available to the public in a timely manner, using plain language and in both official languages. Institutions must routinely release summaries of their assessments, taking into account that:
there may be components that must be protected under the Access to Information Act or the Privacy Act;
in certain cases, assessments could contain information that would render systems or security measures vulnerable; or
in certain cases, assessments could refer to programs or services that have not been formally approved or announced.
The Internet and conventional publishing should be used to disseminate assessments and may include references and links to related documentation.
Was any consultation done for this Policy?
Extensive consultation took place with the Federal/Provincial Privacy Working Group, Treasury Board Secretariat policy centres, stakeholder communities and key interdepartmental committees including the Information Management/Information Technology Board (IMB), Treasury Board Senior Advisory Committee (TBSAC) and its Information Management Sub-committee. The Office of the Privacy Commissioner also had input into the development of the PIA Policy.
The following link is the E-Learning tool on how to complete a PIA:
http://www.tbs-sct.gc.ca/pgol-pged/piatp-pfefvp/index_e.asp
