Description: Records relating to Access to Information and Protection of Privacy (ATIPP) in accordance with the Access to Information and Protection of Privacy Act, 2015, and its preceding legislation: the Freedom of Information Act (FOIA) and the Access to Information and Protection of Privacy Act 2005. This includes, but is not limited to:
- Access to information requests, including records responsive to an Access to Information (ATI) request, correspondence with the applicant, departmental staff, third parties, the Office of the Information and Privacy Commissioner, and records relating to appeals; and
- Privacy matters, including privacy assessments of programs and services, privacy breach reports, and correspondence related to privacy matters including complaints related to privacy breaches with the Office of the Information and Privacy Commissioner.
The Access to Information and Protection of Privacy Office oversees the implementation and coordination of the Access to Information and Protection of Privacy Act, 2015. Any inquiries regarding the records under 11-01 ATIPP Management are to be directed to the ATIPP Office.
Filing Guidelines: Records are to be securely retained on site until final disposition. It is the responsibility of the Departments to ensure all copies, regardless of media, are securely disposed of when applicable. Departments should retain a permanent copy of the record of disposal.
Function: Compliance Management
GNL OPR:
*Government Departments and Public Bodies legislated by the ATIPPA
- 11-01-41 ATI Request Case Files
- 11-01-42 Privacy Breaches
- 11-01-43 OIPC Complaints and Investigations
- 11-01-45 Privacy Management Program Plan
**ATIPP Office
- 11-01-44 Privacy Impact Assessments and Preliminary Privacy Impact Assessments
Departmental OPR: Head of the public body (e.g., Deputy Minister)
Retention: See below
Disposition: Destroy
Media: Physical and/or electronic
Authority: CRIMS
CRIMS – Common Secondaries
| No. | Function Specific Secondary | ACT | DIS |
|---|---|---|---|
| 41 | *ATI Request Case Files
Records relating to the processing of an ATI request. Records include but not limited to: responsive records, correspondence with the applicant, departmental staff, third parties, the Office of the Information and Privacy Commissioner, and records relating to appeals etc. Event Date (ED) is the date when all processes relating to an ATI request are complete (e.g., complaints, appeals, etc.) or timeframes for complaints/appeals have lapsed. |
ED+2CY | D |
| 42 | *Privacy Breaches
Use for records relating to the methods and procedures in handling a breach involving the unauthorized collection, use or disclosure of personal information. Records include but not limited to: documented procedures, Privacy Breach Reporting Form, correspondence, internal reviews, etc. Event Date (ED) equals the date the privacy breach was reported to the OIPC. |
ED+6CY | D |
| 43 | *OIPC Complaints and Investigations
Use for records gathered or created to respond to an OIPC investigation regarding a complaint or privacy concern. Records include but not limited to: responsive records, legal opinions, correspondence, internal review, audits, etc. Event Date (ED) is the date when all processes relating to an OIPC Complaint or Investigation are complete (e.g. complaints, appeals, etc.) or timeframes for complaints/appeals have lapsed. |
ED+4CY | D |
| 44 | **Privacy Impact Assessments (PIA) and Preliminary Privacy Impact Assessments (PPIA)
Use for evaluating how programs or services may affect people’s privacy. They help identify and reduce potential privacy risks. Preliminary privacy impact assessments (PPIAs) are used as an initial evaluation of a project, program or service to identify potential privacy risks prior to full development and serves as a first step to assess how the initiative might affect people’s privacy. A Privacy impact assessment (PIA) is a more detailed and comprehensive assessment of programs, projects and services that should include a thorough review and evaluation of the initiative to ensure compliance with privacy requirements as well as to ensure the protection of personal information. Records include: Final version of a PIA or PPIA Event Date (ED) equals the date the program, project or service was completed, cancelled or withdrawn. |
ED+3CY | D |
| 45 | *Privacy Management Program Plan
Use for records relating to a public body’s required Privacy Management Program Plan. These records illustrate the measures in place to manage and protect personal, sensitive, and confidential information within a public body’s custody and control including in relation to the information captured in their IT systems and databases. The plan is a valuable reference point; defines Privacy services; tracks and manages services/priorities; demonstrates compliance and is a basis for future planning. Records include: privacy gap analysis, risk assessments, privacy training, privacy policies, personal information banks, etc. |
Current Version + Previous Version |
D |
Click here for the CRIMS Main Page
For more information please contact im@gov.nl.ca