Public interest disclosures by federal institutions under the Privacy Act
Revised: June 2022
Guidance on disclosures under paragraph 8(2)(m), which allows institutions to disclose personal information in the public interest or in the interest of the individual to whom the information relates.
On this page
- Understanding paragraph 8(2)(m)
- The decision to disclose
- Notifying the Office of the Privacy Commissioner of Canada
Are you looking to notify the Office of the Privacy Commissioner of Canada of an upcoming or recent public interest disclosure?
Submit your notification using our new public interest disclosure portal under the section Notifying the Office of the Privacy Commissioner of Canada.
The Privacy Act allows federal institutions to disclose personal information in the public interest or in the interest of the individual to whom the information relates. This includes cases where health, safety or security may be at risk, as well as other situations related to the individual or public interest.
When seeking to make use of these provisions, it is important that institutions have a clear understanding of appropriate use. This understanding helps to ensure that privacy rights are appropriately considered.
Understanding Paragraph 8(2)(m)
Subsection 8(2) of the Privacy Act sets out specific circumstances in which government institutions may disclose personal information without the consent of the individual.
Paragraph 8(2)(m) permits the disclosure of personal information where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or disclosure would clearly benefit the individual to whom the information relates. It is up to the head of the institution, as defined in the Privacy Act, to make this assessment.
Paragraph 8(2)(m) is an important section in the Act which provides institutions with a tool to help them effectively balance an individual's right to privacy with other important contextual interests. For example, this provision has been used in cases such as:
- To seek assistance for an individual denied government benefits who has threatened self-harm or harm to others;
- To notify public health authorities charged with informing individuals of their potential exposure to a communicable disease; and
- To assist in locating the next of kin of an individual who is injured or deceased.
Paragraph 8(2)(m) may also apply in the context of a request for information under the Access to Information Act. While subsection 19(1) of the Access to Information Act requires heads of institutions to refuse to disclose any record requested that contains personal information, this requirement is subject to the discretionary exceptions contained in subsection 19(2). Of particular note is paragraph 19(2)(c) of the Act, which allows for the disclosure of personal information in accordance with section 8 of the Privacy Act. In considering whether to exercise discretion to disclose personal information in response to an Access to Information Act request under paragraph 19(2)(c), heads of institutions should follow this guidance.
The decision to disclose
The decision to disclose under paragraph 8(2)(m) requires a careful balancing of potentially competing interests. It is the responsibility of the head of the institution to ensure that the public interest clearly outweighs the invasion of privacy, in the case of subparagraph 8(2)(m)(i), or, in the case of 8(2)(m)(ii), disclosure must clearly benefit the individual to whom the information relates.
The discretion to disclose personal information should be exercised with restraint. Paragraph 8(2)(m) does not require disclosure by a government institution nor is it a "loophole" that allows government departments and agencies to make information public when it should remain private. With this in mind, government institutions should be careful not to disclose more personal information than is necessary.
Paragraph 8(2)(m) is applied in unique, fact-specific situations. In other words, institutions should exercise discretion to disclose personal information pursuant to this paragraph in unique circumstances where disclosure is truly justified.
Institutions should apply the "invasion-of-privacy" test to determine the level of privacy risk in the disclosure. The invasion-of-privacy test involves a detailed review of three interrelated risk factors that will help institutions determine whether to apply subparagraph 8(2)(m)(i). These factors are: the sensitivity of the information; the expectations of the individual; and the probability and degree of injury. In addition, institutions should consider factors unique to their own operational context, as applicable.
Tips for applying the invasion-of-privacy test1) Sensitivity of the information
- Consider whether the type of information is of a detailed (e.g., name and address) or highly personal (e.g., health information) nature.
- Evaluate the context in which the information was collected, and determine whether any contextual sensitivities apply to the information. For example, a list of public servants may not be considered particularly sensitive, but that same list, if collected to identify employees having a specific illness would be considered sensitive based on the context.
- Evaluate the conditions under which the personal information was collected, and consider what expectations the collecting institution may have established for its confidentiality, including whether the possibility of disclosure is conveyed in an applicable Privacy Notice Statement.
- Consider the reasonable expectations of privacy that apply to the context in which the information was collected. To determine what constitutes a reasonable expectation of privacy, courts will look at the totality of circumstances. This could include location of collection (e.g., in a private conversation as compared to a public town hall), context of collection (e.g., in a routine application for services as compared to a letter sent to several government ministers), etc.
- Consider the probability and degree or gravity of injury relative to the benefits of the disclosure to the public. This could include personal or physical injury, or damage to the reputation of an individual or others, which causes adverse consequences (e.g., any harm or embarrassment that negatively affects an individual's career, reputation, financial position, safety, health or well-being).
- Determine the potential of injury if the receiving party wrongfully disclosed the information further.
Alternatives to disclosure under paragraph 8(2)(m)
Whether in the context of an access request, open government or otherwise, institutions can often be open and transparent about their activities where there is a public interest in doing so without resorting to disclosing personal information pursuant to paragraph 8(2)(m). For example, institutions can provide the public with access to information on the application or outcomes of government policies in a format that does not include personal information, such as program evaluation reports. They can also release information that has been de-identified to the point that there is no longer a serious possibility that it can be used to identify an individual, either through that information alone or in combination with other available information.
If an institution finds that it is routinely relying on paragraph 8(2)(m) to disclose information under a similar set of circumstances, it should evaluate whether this paragraph is the most appropriate authority for disclosure. Given that disclosures pursuant to this paragraph require a case-by-case assessment as well as a notification to the Privacy Commissioner of Canada, institutions may find that there are options more amenable to conducting systemic disclosures. In these cases, institutions may find that they have established a program that may require a Privacy Impact Assessment (PIA); or may determine the need for an Information Sharing Agreement (ISA) to formalize an ongoing information sharing relationship.
Notifying the Office of the Privacy Commissioner of Canada
Under subsection 8(5) of the Privacy Act, the head of an institution has a duty to notify the Privacy Commissioner of Canada in writing prior to the release of any records under the Act's public interest disclosure provision. If this is not possible, institutions must notify the Commissioner as soon as possible upon the disclosure. This subsection serves to ensure that institutions rely on paragraph 8(2)(m) in a reasonable manner. The Commissioner may express concerns with the proposed disclosure and may notify the individual whose information will be disclosed.
The Commissioner has no authority to prevent the disclosure and it is ultimately the institution's decision as to whether to release the information.
Submit a public interest disclosure notification by filling up a questionnaire through the portal:
Please note that the portal accepts information of a Protected B level or below. In the case that an institution needs to provide information higher than a Protected B level, the institution should contact email@example.com to arrange transmission.
Alternatively, institutions may submit their notifications by mail to:
Privacy Commissioner of Canada
30 Victoria Street
Upon receiving notification of a public interest disclosure, the OPC's Government Advisory Directorate conducts a review of the disclosure. During the review, institutions may be asked to provide additional information to assist in understanding the context of the disclosure. We may provide recommendations for institutions to consider when applying the provisions. As noted above, in some circumstances, where deemed appropriate, the Commissioner may notify the individual whose personal information has been or will be disclosed.
For more information
The Government Advisory Directorate offers information sessions for federal public servants on public interest disclosures. To schedule a session or for any questions related to public interest disclosures, please contact the OPC's Government Advisory Directorate at firstname.lastname@example.org.
- Date modified: