Section 33.2 - Disclosure Inside Canada Only

Overview

Sections 33.1 and 33.2 combined list the only circumstances under which a public body may disclose personal information within Canada.  Unlike Section 33.1 which also includes disclosure outside Canada, Section 33.2 sets out the purposes for which personal information may be disclosed only within Canada.  For example, under section 33.2, a public body is permitted to disclose personal information where the person concerned has agreed in writing to the disclosure, in order to comply with legislation, for a consistent purpose, to respond to a subpoena, or where the information is necessary to assist public body employees (which includes contractors) in the performance of their duties.

Section Reference

Section 33.2 of the Freedom of Information and Protection of Privacy Act

A public body may disclose personal information referred to in Section 33 inside Canada as follows:

1. for the purpose for which it was obtained or compiled or for a consistent use with that purpose (see Section 34);
2. to comply with a subpoena, warrant or order issued or made by a court, person or body in Canada with jurisdiction to compel the production of information;
3. to an officer or employee of the public body or to a minister, if the information is necessary for the performance of the duties of the officer, employee or minister to whom the information is disclosed;
4. to an officer or employee of a public body or to a minister, if the information is necessary for the delivery of a common or integrated program or activity and for the performance of the duties of the officer, employee or minister to whom the information is disclosed;
5. to an officer or employee of a public body or to a minister, if the information is necessary for the protection of the health or safety of the officer, employee or minister;
6. to the auditor general or any other prescribed person or body for audit purposes;
7. to a member of the Legislative Assembly who has been requested by the individual the information is about to assist in resolving a problem;
8. to a representative of the bargaining agent, who has been authorized in writing by the employee, whom the information is about, to make an inquiry;
9. to a public body or a law enforcement agency in Canada to assist in an investigation
   1. undertaken with a view to a law enforcement proceeding, or
   2. from which a law enforcement proceeding is likely to result;
10. to the archives of the government of British Columbia or the archives of a public body, for archival purposes;
11. in accordance with Section 35 (disclosure for research or statistical purposes).

Summary

Section 33.2 lists the circumstances under which public bodies may disclose personal information within Canada.  Section 33.2 permits disclosure at the discretion of the public body.  Section 33.2 does not require disclosure.  As indicated by the word "may" in the opening phrase, a public body uses its discretion and considers each new situation on its own merits.  The disclosures of personal information within Canada are limited to the circumstances outlined in sections 33.1 and 33.2 combined.

The provisions of section 33.2 apply principally to disclosures to third parties, but also apply where a person requests access to her/her own personal information.

Policy

1. Public bodies may not penalize people for refusing to consent to a new disclosure of their personal information by denying them the benefit or service for which their personal information was originally collected, or in any other way.
2. Public bodies contemplating new legislation or revisions to existing legislation must complete a privacy impact assessment (PIA) as required by section 69(5) of the Act and in accordance with the Core Policy and Procedures Manual (section 12.3.3) Privacy Impact Assessments. Completed PIA’s must be submitted to the Minister responsible for the Act for review.  Provincial government ministries and agencies must also complete a privacy impact assessment when developing or making changes to programs or  electronic systems that collect, store, use or disclose personal information.
3. Public bodies should disclose only the minimum personal information necessary to meet the operational requirements under the specific subsection of section 33.2.  For example, in responding to a subpoena, warrant or order (Subsection 33.2(b)), the public body should only provide the personal information specifically requested in the subpoena, warrant or order.  Where the subpoena, warrant or order is unclear, public bodies should clarify with assistance of their legal representatives, as required.
4. For the purposes of section 33.2, the person to whom the information pertains must agree to the disclosure in accordance with the requirements set out in regulation 11.  Wherever possible, public bodies should obtain consent for all anticipated disclosures at the time that they collect the personal information (see manual Section 32).
5. If a public body discovers that it has accidentally disclosed an individual’s personal information, and the disclosure was not authorized by section 33.2 or 33.1, the public body must:
   • follow the Information Incident Management Process;
   • take steps to recover the personal information from all sources to which it has been disclosed;
   • determine the impact of the disclosure, and advise senior staff as appropriate;
   • advise, where appropriate, the individual whose information has been disclosed of the disclosure, explain the steps being taken to recover the information, and inform the individual of his/her right to complain to the Information and Privacy Commissioner;
   • advise both the Legislation, Privacy and Policy branch and the Office of the Information and Privacy Commissioner (OIPC) in situations where the disclosure may have a serious public or personal impact;
   • examine policies and processes that may have led to the breach of privacy and revise if necessary; and
   • provide staff education regarding privacy issues involved in the breach to reduce the potential of a future occurrence.

Privacy Protection Offences

Section 74.1 states that a person who discloses personal information not authorized by the Act, commits an offence. The fines for committing such an offence are up to $500,000 for a corporation; up to $25,000 for a partnership or an individual who is a service provider; and up to $2,000 for an individual who is not a service provider (for example, an employee). Section 74.1(8) states that in the defence of a prosecution of an offence under section 74.1, the person charged can try to prove that they exercised due diligence to avoid committing the offence.

Procedure

1. According to Regulation 155/2012, section 11, consent must be in writing and must specify to whom personal information may be disclosed and how it may be used (see manual Section 32(b)).
2. Unless compelling reasons exist requiring the contrary, disclosures are recorded in writing. If a public body receives a verbal request for personal information and discloses it verbally, the transaction should be recorded in writing.
3. All agreements, arrangements and treaties under which public bodies disclose personal information must be entered into the Information Sharing Agreement section of the Personal Information Directory that is published and maintained by the Legislation Privacy and Policy branch.
4. Public bodies should ensure that incoming requests for personal information from other public bodies or law enforcement agencies are authorized and contain the following details:
   • the name of the individual whose information is requested;
   • the exact nature of the information desired;
   • the authority for the investigation;
   • the purpose for which the requesting agency will use the information; and
   • the name, title and address of the person authorized to make the request.
5. The written request for personal information under this section and the outgoing correspondence (recording the fact that disclosure did or did not take place) should be retained on file. A written record of a verbal request and disclosure should be retained on file.
6. A "notice of disclosure" must be in writing and must describe the specific personal information elements, which were disclosed, when, to whom and for what purpose.
7. A copy of the notice is also placed on the file of the person whose personal information has been disclosed.

Interpretation

Interpretation Note 1 (Section 33.2(a)):

Secondary uses of personal information are disclosure or use of such information for a purpose other than that for which it was originally collected.  Secondary uses of databases containing personal information are restricted by section 33.2(a) of the Act.  The Section permits the secondary disclosure of personal information for the purpose for which it was obtained or for a "use consistent with that purpose", (Investigation Report P98-011)

The "purpose" for which personal information was obtained or compiled is the object to be attained or the thing intended to be done, e.g., the administration of a program, the provision of a service or other activity.  Such purposes must meet the requirements of Section 32.

Personal information may be "obtained" for a variety of reasons, for example, to decide on a person's eligibility for benefits, to determine if a person is a suitable candidate for a job with the government, to determine the type of medical care a person needs or to ascertain the level of the public's satisfaction with the service provided by a public body.

Personal information may be collected in a variety of ways -- through forms, surveys, interviews (where the responses are recorded in some way), questionnaires, film, audio or video tapes, magnetic media or other non-textual media.

Personal information is "compiled" when it is assembled from several sources or generated, calculated, extrapolated, interpolated, linked, deduced or created.

A consistent use is one that has a direct and reasonable connection to the original use.  A disclosure for a consistent use is therefore permissible if it is directly connected to the original use or is a logical extension of the original use.

Examples

• John Doe writes to a municipal councillor in order to raise an issue that he would like to have discussed at an upcoming council meeting.  The letter does not contain sensitive personal information and Mr. Doe request that the councillor bring the issue forward on his behalf.  IN this case, it would be a consistent use of Mr. Doe's personal information to circulate the letter at the council meeting without severing.
• A community health unit compiles a mailing list of participants in a pre-natal program.  The health unit created and uses the mailing list to distribute information about program activities and about pre- and post-natal health care.  Disclosure of the mailing list to the the Ministry of Health so that the Ministry can monitor the program's effectiveness would be consistent with the purpose for which the health unit originally compiled the list.  Disclosure to a local retailer who intends to distribute a catalogue of baby products would not be consistent with the purpose for which the health unite compiled the list.  The health unite would have to obtain the consent of each individual on the list before disclosing it to the retailer.
• Providing a local newspaper with copies of photographs taken by or for a school may, in some circumstances, be disclosure of the students' personal information for a consistent purpose. In deciding whether or not such a disclosure is permitted under paragraph 33.2(a), the school considers the purpose of disclosing the photograph and whether it has a reasonable and direct connection to the purpose of the event being photographed.
• There may be a reasonable expectation that photographs of participants in a public function such as a soccer game or a school play would be disclosed publicly. For example, the publication of a photograph of the cast of a school play in a flyer advertising the play would be disclosure for a consistent purpose.
• It is less likely that there would be the same expectation of disclosure of candid photographs of students in a classroom or on the playground.
• Whether or not a school allows a local newspaper to photograph school events is determined by the school's general policy on access to school property, not by the Act. The newspaper is not a public body and their collection and use of personal information is not governed by the Act.

Public bodies may disclose personal information if it is necessary to do so in order to accomplish the purpose for which the personal information was originally acquired or assembled.  Such purposes must meet the requirements of Section 32 (Use of personal information).

Public bodies may disclose personal information for a consistent use if it is directly connected to the original use or is a logical extension of the original use.  See Section 34.

Interpretation Note 2 (Section 33.2(b)):

A "subpoena" (from the Latin sub poena, "under penalty"), also called a "summons to witness", is a command issued by a party in litigation requiring the attendance of a person as a witness at a court or hearing, at a certain place and time, to give testimony on a certain matter. Under a subpoena duces tecum ("[bring the documents] with you under penalty"), the person may also be required to bring documents, records or files in her/his possession or under her/his control relating to the subject matter of the proceedings.

In this context, a "warrant" is a judicial authorization to collect [personal] information.

In this context, an "order" is an authoritative command, direction or instruction [to produce personal information].

A "Court, person or body with jurisdiction to compel the production of information" has the power to order persons or bodies to produce information.

Time is usually of the essence in dealing with a subpoena, as it is often served with very little notice.; Employees of public bodies do not ignore subpoenas, as they risk being cited for contempt of court and, at a minimum, fined if they do so. Consult with the public body’s legal counsel and respond accordingly.

Although public bodies "may disclose" personal information under paragraph 33.2(b), public bodies normally comply with orders, warrants or subpoenas, both to assist in the administration of justice and because they may be cited for contempt of court if they refuse to comply with the order, warrant or subpoena.

Public bodies may wish to consult their legal advisors when they receive an order, warrant or subpoena to determine the compellability of the personal information in question, whether the subpoena, order or warrant has been served properly or whether there is some compelling reason to oppose the order, warrant or subpoena.

Interpretation Note 3 (Section 33.2(c)):

Public bodies may use this provision to disclose personal information to an officer or employee within the public body or to any minister. This means that the minimum amount of personal information is disclosed to the fewest number of people necessary to perform the duties of, or protect the health or safety of, the officer, employee or minister.

Paragraph 33.2(c) does not allow disclosure to the employees or officers of other public bodies

An "employee" is a person employed by a public body. The definition of employee in Schedule 1 of the Act includes a person retained under contract to perform services for the public body. The term "officer" is included to ensure that all persons working for a public body in any capacity are encompassed by this disclosure provision.

Example

• A student working with a public body as part of their educational activities or doing a practicum are to be deemed to be either an employee or an officer for the purposes of this Act.

A "minister"

"Necessary for the performance of the duties" means that the employees, officers or ministers must need to see, generate or handle the personal information in order to do their jobs. This may include the administration of statutes, regulations, programs and other activities.

Examples

• A staffing officer and members of the screening and assessment board require access to the resumes of applicants in a job competition as part of their responsibilities in running the competition.
• A payroll clerk must see some of the personnel information of a public body's employees to administer their pay, service and attendance records.
• A manager must see relevant records in an employee's personnel file to determine what disciplinary action is appropriate.
• A director or manager of information and privacy requires access to personal information in an applicant's record to manage a request.
• A municipal property owner writes to a municipal councillor in order to solicit her aid in resolving a dispute with an identified local employee. The letter includes sensitive information about the property owner's finances and the councillor is asked to treat the matter in confidence. It may be necessary for the councillor to disclose the personal information to the municipal official in charge of the employee's work area in order to resolve the problem. However, only the personal information that is strictly necessary for the official to deal with the problem is disclosed. The letter may not be circulated to other council members or discussed at an open meeting of council unless it can be severed so that the property owner's identity is not revealed.

Interpretation Note 4 (Section 33.2(d)):

Personal information may be shared with another public body’s officer or employee (which includes contractors) or to a minister in order to deliver a common or integrated program or activity. The personal information may only be shared to allow the officer, employee or minister to perform their duties.

Interpretation Note 5 (Section 33.2(e)):

"For the protection of the health or safety of the officer, employee or minister" means that the disclosure must be necessary to prevent harm to the health or safety of the person in question (officer, employee or minister).

Examples

• A public body has a client who is known to behave violently when dealing with the employees of this public body. The public body has told its employees about this client's behaviour and has instructed them to arrange for a security guard to be present whenever the client is known to be coming to the office for an appointment. This enables employees dealing with the client to take precautions for their own safety.
• A prison inmate with active hepatitis is due to be transferred from one institution to another. To enable escort officers to take adequate precautions against contracting hepatitis, it is permissible to warn them that the prisoner has a highly contagious disease and to tell them what measures they should take to minimize the risk of infection.

Interpretation Note 6 (Section 33.2(f)):

"Auditor General"

Public bodies may disclose personal information for audit purposes, financial or otherwise, to a person or body specified in the regulations to the Act.

Disclosure is permitted for an audit conducted both by employees or officers of the public body and by external contractors. (Contractors must undertake to abide by the provisions of the Act in protecting the personal information in their care).

The personal information disclosed under paragraph 33.2(f) may be used only for audit purposes.

The definition of "audit" in this context does not include the verification of claimants’ eligibility for benefits (i.e., where the personal information is used to make decisions about the persons concerned). It also does not include "security audits".

Paragraph 33.2(f) reinforces the authority of the Auditor General under the Auditor General Act to be given access to a wide variety of information in records under the custody or in the control of ministries and other public bodies in order to carry out her/his audit duties. The Auditor General may also require that officers and employees of ministries and public bodies provide explanations and reports needed to perform her/his audit duties. Similarly, "any prescribed person or body" performing audits may have access to whatever information is needed to carry out the audit.

Interpretation Note 7 (Section 33.2(g)):

A "Member of the Legislative Assembly (MLA)"

This provision allows a public body to disclose an individual’s personal information to a Member of the Legislative Assembly of British Columbia of British Columbia (MLA) to assist in resolving a problem raised by the individual.  In practice, MLAs may designate constituency assistants to act on their behalf in requesting personal information necessary to resolve the problem raised by the individual.

The written consent of the individual concerned is not normally required for disclosure to MLAs under paragraph 33.2(g).  When assisting a constituent in resolving a problem, constituency offices may complete and provide ministries with a Certificate of Authority to Obtain Personal Information (MS Word). This certificate facilitates the work of an MLA’s constituency office by certifying the MLA and their delegates are requesting the individual’s personal information from the public body in order to resolve a problem.

Paragraph 33.2(g) does not allow for the disclosure of personal information to elected federal or municipal representatives.

“Who has been requested by the individual the information is about”

Public bodies may use this provision to disclose to MLAs (or their designates) the personal information of the individual who has requested assistance.  Public bodies cannot use paragraph 33.2(g) to disclose to MLAs the personal information of someone other than the individual being assisted.

"Assist in resolving a problem"

Section 33.(g) permits disclosure of personal information to MLAs only where there is a problem to resolve.

Public bodies should also be aware that MLAs may communicate the personal information received under this provision to the individual they are assisting.  For this reason, public bodies should consider whether to disclose to an MLA any personal information they would decline to disclose directly to the individual if the individual made an FOI request.

Example

• An MLA who is assisting an individual in resolving a problem is seeking the individual’s personal information that is related to an investigation for law enforcement purposes.  If the public body would decline to disclose this personal information directly to the individual if the individual made an FOI request, then it may decide to decline to provide it to the MLA.

When in such circumstances a public body does choose to disclose personal information to the MLA to assist the individual in resolving a problem, the public body may consider requiring the MLA to undertake in writing not to disclose the information to the individual concerned.

Interpretation Note 8 (Section 33.2(h)):

"Representative of the bargaining agent"

Public bodies may disclosure personal information, as authorized by the person to whom the information pertains, to a representative of a union or other organization that negotiates on behalf of workers with their employers for improvements in pay, working hours, benefits and other working conditions.

"Authorized in writing"

The person to whom the information pertains must sign and date a consent form or other statement which clearly states to whom the information may be disclosed and for what purpose. The consent form should also provide notice to the individual that refusal to provide consent will not affect any decisions involving the individual.

"To make an inquiry"

For the purposes of an inquiry only, the representative may receive personal information that the employee has specifically authorized for release.

The representative may not exercise the employee's right of access to the rest of her/his personal information in the custody or control of the government or the employee's right to request a correction to his/her personal information.

Interpretation Note 9 (Section 33.2(i)):

Public bodies have the discretion not to disclose personal information to other public bodies or law enforcement agencies if the request relates to an investigation that is not focused and where personal information is sought on suspicion, surmise or guesses.

"Law enforcement"

A "law enforcement agency in Canada" includes any agency in Canada whose primary function is law enforcement. 

Examples

• Municipal police forces, such as the Vancouver Police or the Royal Canadian Mounted Police (RCMP) in its role as municipal police.
• Provincial police forces, such as the Ontario Provincial Police (OPP) or the RCMP in its role as provincial police.
• Federal agencies, such as the Canadian Security Intelligence Service (CSIS) and the RCMP in its role as federal police.
• Other federal, provincial and municipal agencies which enforce laws, such as the Canadian Border Service Agency. 

An "investigation" is a methodical process of examination, inquiry and observation including examining a crime scene, interviewing witnesses and reviewing documents.

A "proceeding" is the form and manner of conducting juridical business [business having to do with the administration of justice] before a court or judicial officer. Thus a "law enforcement proceeding" is a juridical process undertaken for law enforcement reasons with a view to imposing penalties or sanctions (as opposed to simply gathering information for intelligence purposes).

"likely to result"

For a public body to disclose personal information under this paragraph there must be a reasonable probability that a law enforcement proceeding will result.

"with a view to"

The purpose of the investigation must be to institute law enforcement proceedings, even if, for lack of evidence, such proceedings do not actually take place. 

Interpretation Note 10 (Section 33.2(j)):

"Archival purposes"

When a public body transfers records containing personal information to the control of the archives of the government of British Columbia, it is disclosing that personal information. The Act permits disclosure for "archival purposes", that is, for the purposes of any of the functions normally performed by, for or within an archives, including scheduling, selecting, preserving, arranging and describing records and making them available for use.

Interpretation Note 11 (Section 33.2(k)):

Section 33.2 lists the only types of disclosure permitted within Canada under the Act. In order for disclosures under Section 35 to be permitted, they it must also be included in Section 33.

"Section 35" permits disclosures by public bodies for research or statistical purposes if certain conditions are fulfilled. 

Sectional Index of Commissioner's Orders

For orders organized by the Act's section numbers, Click here.

For a summary of Commissioner's orders and policy interpretation of key points, Click here.

Last updated: March 26, 2010