Redacting Documents for Canadian Access to Information Requests

How the Access to Information Act works

Canada's Access to Information Act (ATIA) gives individuals and organisations the right to request records held by federal government institutions. The Act has been in force since 1983 and applies to approximately 265 federal bodies - departments, agencies, Crown corporations, and other institutions listed in Schedule I.

The principle is presumption of access. Records are disclosable unless a specific exemption or exclusion in the Act applies. When an exemption applies to only part of a record, the institution must sever (redact) the exempt portions and release the rest. Section 25 makes this obligation explicit: where information can reasonably be severed from a record, the institution must disclose the remainder.

This is not optional. The Information Commissioner of Canada has consistently held that the duty to sever is a core obligation, not a courtesy. Institutions that withhold entire documents when severance would allow partial disclosure face formal complaints and, increasingly, orders to release.

Exemptions that drive redaction decisions

The ATIA contains two categories of protection: mandatory exemptions (where the institution must withhold) and discretionary exemptions (where the institution may withhold). Knowing which category applies determines whether you have a choice in the redaction scope.

Mandatory exemptions

Section 13 - Information obtained in confidence from other governments. If a foreign government, international organisation, or provincial government provided information in confidence, it must be withheld. Diplomatic correspondence, intelligence-sharing arrangements, and intergovernmental negotiations fall here. The exemption is mandatory - no discretion to release.

Section 19 - Personal information. Records containing personal information about identifiable individuals must be withheld unless the individual consents, the information is publicly available, or one of the specific exceptions in the Privacy Act applies. This is the exemption most commonly applied in practice and the one that generates the most redaction work. Names, contact details, employee identification numbers, medical information, financial details - all require severance when they relate to third parties.

Section 24 - Prohibitions under other Acts. Where another federal statute specifically prohibits disclosure, the ATIA defers. Tax return information protected under the Income Tax Act, census data protected under the Statistics Act, and similar statutory prohibitions override the access right.

Discretionary exemptions

Section 14 - Federal-provincial affairs. Information whose disclosure could reasonably be expected to harm federal-provincial relations or negotiations.

Section 15 - International affairs and defence. Information that could harm Canada's international relations, defence posture, or the detection, prevention, or suppression of hostile activities.

Section 16 - Law enforcement and investigations. Records related to ongoing investigations, law enforcement techniques, or information received from confidential informants.

Section 20 - Third-party commercial information. Trade secrets, financial or commercial information supplied in confidence by a third party, and information whose release could harm the competitive position of a third party. Procurement documents frequently trigger this exemption - vendor proposals, pricing structures, and proprietary technical details all qualify.

Section 21 - Advice and recommendations. Policy advice, recommendations, and deliberative material prepared for government decision-making. This exemption protects the integrity of the advisory process - officials need to be able to provide frank advice without fear of immediate public disclosure. It is time-limited: the exemption expires 20 years after the record was created.

Section 23 - Solicitor-client privilege. Legal advice provided by government lawyers, litigation strategy, and communications made for the purpose of obtaining legal advice. This exemption reflects the common law privilege and is applied conservatively.

The severance process in practice

Federal institutions follow the Treasury Board of Canada Secretariat's guidance on processing ATIA requests. The practical workflow for severance involves several stages that differ from private-sector redaction.

Line-by-line review. Each page of every responsive record is reviewed against the applicable exemptions. Analysts mark each proposed redaction with the specific section of the Act that justifies it. This is not general-purpose redaction - every blacked-out passage must cite a specific statutory provision.

Exemption coding. Released documents typically show the exemption section number alongside each redaction. A page might show "s.19(1)" next to a blacked-out name and "s.21(1)(a)" next to a withheld policy recommendation. This transparency allows the requester to understand why specific information was withheld and to challenge the exemption if they believe it was wrongly applied.

Approval chain. Severance decisions typically require sign-off from the ATIA coordinator and, for sensitive exemptions, from senior management or legal counsel. Section 15 (international affairs) and section 23 (solicitor-client privilege) redactions usually involve the institution's legal services division.

Quality assurance. Before release, the severed package is reviewed for consistency and completeness. Are the same exemptions applied consistently across the package? Has every redaction been coded? Has the severance inadvertently revealed exempt information through context clues in surrounding text?

Technical requirements for ATIA severance

The technical standard for ATIA redaction is the same as for any document disclosure: the redaction must permanently remove the withheld information. The requester should not be able to recover severed content through text selection, metadata examination, or any other technical means.

Federal institutions historically processed ATIA requests using paper-based workflows - photocopying, physically cutting and taping, then re-photocopying to flatten the redactions. Many have now moved to digital workflows, but the shift has introduced new risks. PDF overlay redaction that leaves underlying text recoverable has caused breaches in government contexts worldwide. The Canadian government's own guidance now emphasises that digital redaction must permanently remove content, not merely cover it visually.

Pixel-burn redaction meets this standard. The text is permanently destroyed during the rasterisation process. For institutions handling digital ATIA workflows, tools that apply pixel-burn redaction with automated PII detection can significantly reduce processing time - particularly for section 19 (personal information) redactions where the volume of names, phone numbers, and email addresses across hundreds of pages makes manual review slow and error-prone.

RedactProof identifies 40+ types of personal information automatically, which directly supports section 19 severance. Automated detection catches the identifiers that repeat throughout large disclosure packages - the staff member's name in every email header, the phone number in every signature block, the personal email address that appears once on page 3 and again on page 287.

Timelines and complaint risks

The ATIA requires institutions to respond within 30 days of receiving a request. Extensions are permitted under section 9 for large volumes of records, necessary consultations with third parties or other government institutions, or conversion of records to an accessible format. Extensions must be communicated to the requester with a revised timeline.

Late responses are a chronic issue. The Information Commissioner's annual reports consistently flag response timeliness as a systemic problem across federal institutions. Complaints about delays outnumber complaints about exemption decisions. For ATIA coordinators, the processing bottleneck is almost always the severance stage - the line-by-line review of hundreds of pages against applicable exemptions.

Automated PII detection does not replace the exemption analysis - that requires human judgement about whether a specific exemption applies. But it dramatically reduces the time spent on the mechanical task of finding and marking personal information. An analyst who spends 60% of their time spotting names and phone numbers and 40% making exemption decisions can reverse that ratio with automated detection.

Common severance mistakes

Applying discretionary exemptions as if they were mandatory. Sections 14 through 16 and 20 through 23 are discretionary - the institution may withhold, not must. The decision to apply a discretionary exemption should involve a genuine assessment of whether disclosure would cause the harm the exemption is designed to prevent. Reflexively withholding everything that could possibly fall under an exemption is over-severance, and the Information Commissioner will push back.

Inconsistent exemption application across a package. If a staff member's name is redacted under section 19 on page 5 but appears unredacted on page 50, the severance has failed. This is the most common technical error in large disclosure packages and the strongest argument for automated detection that scans the entire document set rather than relying on page-by-page manual review.

Failing to code exemptions. Every redaction in an ATIA disclosure should be accompanied by the section number of the exemption applied. Missing codes make it impossible for the requester to understand the basis for withholding and make complaints more likely. Treat exemption coding as part of the redaction workflow, not an afterthought.

Using overlay redaction in digital workflows. If the institution has moved from paper to digital processing, the redaction tool must permanently remove content. A black box over a PDF that can be lifted with copy-paste is not severance - it is a disclosure of the very information the exemption was meant to protect.