Check out our latest blog on safeguarding your information during the holiday season

Privacy Commissioner finds that Canadians have a right to have information de-listed from online search engine results in limited circumstances.

Joint investigation of TikTok Pte. Ltd.

How systemic delays, a backlog of overdue requests, and process errors led to UBC having the lowest rate of compliance.

NEW Checklist for Healthcare Organizations Considering the use of an AI Scribe

Privacy Commissioner of Canada to investigate cybersecurity breach at WestJet

PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada

Sask. information and privacy commissioner brings a focus on cyber security, AI

Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

Access to Information Act, Protection of Privacy Act implemented in Alberta

Closing a Practice

Closing a Practice

Back in 2011, this office issued an Advisory to address concerns we had at the time regarding abandoned patient records. That resource was titled, Advisory for Saskatchewan Trustees for Record Disposition. This office now again is looking to provide some advice to trustees that are winding up his or her practice as additional cases of abandoned patient records come to our attention.

In one recent case, a physician left the country leaving behind both paper and digital patient records in two different locations. Section 22 of The Health Information Protection Act (HIPA) requires trustees that are closing up his or her practice to transfer custody/control of patient records to another trustee or an Information Management Service Provider (IMSP) that is a designated archive.  This physician did not do this. Instead an IMSP was left with physical possession of patient records.  The full Investigation Report 214-2017 is available on our website here.

So what needs to be done in order to wrap up a practice without leaving loose ends? The Saskatchewan College of Physicians and Surgeons has a helpful resource, Leaving Practice – A guide for physicians and surgeons. In addition to HIPA obligations, this resource addresses other issues such as continuity of care and discharging patients. The Ontario Information and Privacy Commissioner published Succession Planning to Prevent Abandoned Records which considers obligations under its Personal Health Information Protection Act, 2004. HIPA is of course similar but not identical and applies to a wide assortment of trustees (i.e. affiliates, Saskatchewan Health Authority) with custody or control of personal health information, not just physicians.

In terms of HIPA compliance, some of the most important steps to take before closing a practice are as follows:

  1. If you have not done so already, create an inventory of all records (paper and digital) in your custody or control;
  2. If you do not have one, create a record retention/disposition schedule for all records;
  3. Custody or control of patient records must be clearly established before taking action;
  4. Before transferring patient records, enter into a written agreement with the successor trustee or IMSP (that is a designated archive, see HIPA Regs s. 4);
  5. Ensure that any multi-function devices that may contain personal health information are sufficiently wiped/erased or hard-drives are destroyed;
  6. Provide advance, adequate notice (letters to patients, notice on doors, voicemail message and details in the newspaper and/or online) to patients and others;
  7. Securely transfer patient records; and
  8. Leave no records behind including securely destroying any records that are up for disposition.

If a member of a regulated profession, the trustee can also seek advice from its health professional body which also happens to be prescribed as designated archives in the HIPA Regs. Do you have more questions? If so, let us know.

Was this page helpful?

What Makes a Good Submission?

The staff at the OIPC recently watched a webinar called The Art of Persuasive Speaking put on by The Canadian Bar Association. Some of the points made in the webinar are relevant to public bodies providing submissions to our office. I thought I would share some further tips pulled from that webinar.

When you want to be persuasive in your arguments to our office:

1. Have a plan and prepare:

Your goal is to convince our office that the public body is in compliance with the legislation.

  • Assemble all the evidence (information) relevant for our office;
  • Lay out the facts, tests, law and argument;
  • Focus on the key disputed facts and issues; and
  • Understand the role of the public body as it pertains to burden of proof (section 61 of FOIP/section 51 of LA FOIP).

2. Know your audience:

Understanding the role of our office is important in tailoring your arguments. Our office is a neutral oversight body. Our office is being asked to make a decision and recommendations.  We have found that when dealing with other organizations, a cooperative approach really works. We are not on the side of the applicant, third party or the public body. We are the first level of appeal before the Court of King’s Bench (2nd level of appeal).

  • Remember, our office will also be receiving arguments from the opposing parties in the case; and
  • How persuasive a party’s arguments are will influence the outcome of the case and you want yours to be most persuasive.

3. Use persuasive techniques:

Your goal is to make our office want to decide in your favour. Show us how to get there.

  • Put yourself in the shoes of our office, and ask: “If I had to make this decision, what would I need to make it?” This will help you focus on the key issues and anticipate questions our office would likely ask;
  • Use solid arguments and deliver only true and accurate statements;
  • Put your best (strongest) arguments first;
  • Avoid filling your submission with endless details without context;
  • Broad general statements are not persuasive; and
  • Present arguments from reputable sources.

These are all effective means of putting your arguments forward, which is in turn more persuasive. For more assistance on preparing your submission, Index of Records and/or the record itself, you can refer to our resource, What to Expect During a Review with the IPC:  A Resource for Public Bodies and Trustees

Was this page helpful?

LA FOIP, Municipalities and Cities

Access to information under LA FOIP

One of the purposes of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) is to ensure that local authorities are transparent and accountable to the public. One way of facilitating transparency and accountability is to provide individuals with the right to access records in the possession or under the control of a local authority. Section 5 of LA FOIP provides individuals with the right to access to records in the possession or under the control of a local authority:

5 Subject to this Act and the regulations, every person has a right to and, on an application made in accordance with this Part, shall be permitted access to records that are in the possession or under the control of a local authority.

Individuals may use this form to submit an access to information request to a local authority: http://www.qp.gov.sk.ca/documents/Forms/L27-1R1-B.pdf.

When a local authority receives a written request, it should process the request formally under LA FOIP. This includes assisting the Applicant to identify the record he/she is seeking, issuing a fee estimate if it is appropriate to do so, conducting a reasonable search for records, consulting with third parties, and issuing a formal response in accordance with section 7 of LA FOIP. For more information, please consult my office’s Best Practices for Responding to Access Requests.

Are there records that citizens may access without submitting a formal request under LA FOIP?

A person is entitled under section 117 of The Municipalities Act (MA) to inspect and obtain copies of certain types of records, including contracts approved by council, financial statements prepared in accordance with section 185 of MA, and council’s approved meeting minutes. What this means is that individuals should not have to submit a formal request under LA FOIP to obtain the records they are entitled to under the MA.

Similarly, a person is entitled under section 91 of The Cities Act (CA) and section 133 of The Northern Municipalities Act, 2010 (NMA) to inspect and obtain copies of similar types of records described above. What this means is that individuals should not have to submit a formal request under LA FOIP to obtain the records they are entitled to under the CA.

Do councillors have a right to records?

As a part of their duties, councillors are to represent the interests of the citizens living within their constituency at council meetings and council committee meetings. Councillors must also be informed in order to effectively participate in such meetings. In order to stay informed, councillors should have access to records related to the municipality/city business without requiring them to make a formal access to information request under LA FOIP to gain access.

Municipalities and cities should have policies and procedures in place that enables councillors to have access to records related to municipality/city business. Councillors should also agree to keep matters confidential until the matter is discussed publicly at a council meeting or council committee meeting.

Section 92 of the MA outlines the duties of councillors as follows:

92 Councillors have the following duties:

(a) to represent the public and to consider the well-being and interests of the municipality;

(b) to  participate  in  developing  and  evaluating  the  policies,  services  and  programs of the municipality;

(c) to  participate  in  council  meetings  and  council  committee  meetings  and  meetings of other bodies to which they are appointed by the council;

(d) to  ensure  that  administrative  practices  and  procedures  are  in  place  to  implement the decisions of council;

(e) subject to the bylaws made pursuant to section 81.1, to keep in confidence matters discussed in private or to be discussed in private at a council or council committee meeting until discussed at a meeting held in public;

(f) to maintain the financial integrity of the municipality;

(g) to perform any other duty or function imposed on councillors by this or any other Act or by the council.

Section 65 of the CA and section 106 of the NMA is very similar to the above.

When should council meetings or council committee meetings be held in-camera?

The MA, CA, and NMA requires councils and council committees to meet in public. Parts or all of a meeting can be closed to the public if the matter being discussed is within one of the exemptions in Part III of LA FOIP. Part III of LA FOIP provides for limited and specific circumstances in which information should not be disclosed.  Generally speaking, councils and council committees should make efforts to conduct most of their meetings in public unless one of the limited and specific circumstances in Part III of LA FOIP exists.

An example of when councils or council committees should hold part of a meeting closed to the public is if a matter to be discussed includes personal information of a citizen. This is because Part III of LA FOIP includes the following exemption:

15 (1) A head may refuse to give access to a record that:

(b) discloses agendas or the substance of deliberations of meetings of a local authority if:

(ii) the  matters  discussed  at  the  meetings  are  of  such  a  nature  that  access to the records could be refused pursuant to this Part or Part IV.

Part IV of LA FOIP provides that local authorities must not disclose personal information unless it has consent of an individual or the disclosure is in accordance with section 28 or 29 of LA FOIP:

28 (1) No  local  authority  shall  disclose  personal  information  in  its  possession  or  under  its  control  without  the  consent,  given  in  the  prescribed  manner,  of  the  individual to whom the information relates except in accordance with this section or section 29.

To understand when a meeting should be closed to the public, municipalities and cities should have a sound understanding of LA FOIP. For support, municipalities should contact the Ministry of Government Relations. They should also contact the Ministry of Justice (Access and Privacy Branch) at 306-798-0222 or accessprivacyjustice@gov.sk.ca, who makes training available to cities and municipalities.

Open Government, proactive disclosure, and routine disclosure

Municipalities and cities across Canada are leading the way in open government initiatives, including the City of Regina and the City of Saskatoon. These initiatives allow for citizens to gain access to information without submitting a formal access to information request. Check out the City of Regina’s website here and the City of Saskatoon’s website here.

I also note that many other cities and municipalities in Saskatchewan are proactively preparing and publishing information on their websites such as council agendas and meeting minutes. Such proactive disclosure of information facilitates transparency and accountability and enhances active participation of citizens in civic life.

Check out my office’s blog entry on what a municipality or city should consider when publishing agendas and meeting minutes on its website: https://oipc.sk.ca/council-agendas-and-meeting-minutes/.

Other helpful resources

A resource about LA FOIP for councillors: https://oipc.sk.ca/assets/what-councillors-should-know-about-lafoip.pdf

Mayors, reeves, and councilors may have a steep learning curve when they are elected, including how to handle personal information and personal health information. Here’s a resource on best practices on how to handle records that contain personal information and personal health information: https://oipc.sk.ca/assets/best-practices-for-mayors-reeves-councillors-and-school-boards.pdf

LA FOIP 101: The Basics for Cities, Towns, Municipalities Webinar: https://oipc.sk.ca/resources/webinars/la-foip-101-the-basics-for-cities-towns-municipalities-etc/

Resources by the Ministry of Justice, Access and Privacy Branch: http://www.publications.gov.sk.ca/deplist.cfm?d=9&c=3570

Was this page helpful?

Severing

When responding to access to information requests under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA), there may be circumstances where information is exempt from release under mandatory or discretionary exemptions.  However, each of these statutes requires public bodies to release as much information as possible when responding to requests and this is done through severing.

Section 8 of both FOIP (applies to government institutions) and LA FOIP (applies to local authorities) provide:

8 Where a record contains information to which an applicant is refused access, the head shall give access to as much on the record as can be reasonably be severed without disclosing the information to which the applicant is refused access.

Subsection 38(2) of HIPA, which applies to trustees, has similar language.

Severing is the exercise by which portions of a document are blacked out before the document is provided to an Applicant. It is also considered severing where a responsive record is withheld in full.  In order to be compliant with section 8 of FOIP/LA FOIP and subsection 38(2) of HIPA, public bodies and trustees need to conduct a line-by-line review of each page and apply severing where appropriate.  In addition, each severed item should have a notation indicating which exemption(s) applies in each instance.  It must be clear to the Applicant as to what exemption(s) is being relied upon for each item that is severed. The IPC discourages the use of white space redacting. White space redacting is where software removes the content of a record in such a way that it renders the redacted content indistinguishable from the blank background of the document. This type of redacting creates uncertainty as to what, if anything, has been redacted.

It is important that public bodies and trustees not apply a blanket exemption(s) to an entire page or record just because the majority of the information contained on that page is exempt from release. A great example is an email chain.  A communication may almost fully be exempt from release.  However, if a public body or trustee is contemplating also severing the header information (to, from, cc, date, and subject), opening and closing sentences, confidentiality notice, signature lines, etc. of an email, it needs to demonstrate how the exemption applies to that information also.

We encourage you to refer to the IPC Guide to FOIP or the IPC Guide to LA FOIP at the time you are processing an access to information request as these resources outline the tests you need to consider when determining if an exemption should be applied.

On a final note, if you are still severing using hard copies of documents and find this to be onerous, you may want to look into options that are available for electronic severing. Who knows, you may already have this capability with the software that is installed on your system.

To learn more about severing electronically, check out our webinar Modern Age Severing Made A Lot Easier.

Was this page helpful?

Council Agendas and Meeting Minutes

To be accountable to the public, meetings of council and council committees are public by virtue of section 119 and 120 of The Municipalities Act. Further, subsection 117(1)(d) of The Municipalities Act entitles any person to inspect and obtain copies of council meeting minutes after they have approved by council.

To support this accountability, municipalities can post the agendas of council and council committee meetings to their website. The benefits of municipalities making information available online are plain to see. First, it increases municipalities’ accountability to the citizenry. Second, it increases citizens’ active participation in civic life.

While making information available online, such as council agendas and meeting minutes, has its benefits, municipalities should take care to minimize or avoid the publication of personal information of citizens on their websites.

What are the risks of publishing personal information on a website?

Chilling Effect

Public participation in civic matters is important to a democratic society. If individuals know their personal information, including their name and concerns, will be published on a website, then they may be deterred from raising matters to council.

Misuse

Search engines index websites and make information published on websites easily searchable.

Furthermore, technology is enabling organizations to gather and analyze personal information from various sites to create profiles on individuals. Such profiling can have undesirable results such as identity fraud or theft, embarrassment, and physical or emotional harm.

Dissemination

Publishing information on the World Wide Web has a much broader audience than information published in other formats such as hard copy newsletters, magazines, and books. Further, information published online can easily be copied and disseminated. Information, especially if it is inaccurate or unflattering, can haunt or damage an individual’s reputation.

Can municipalities withhold personal information that is in meeting documents?

The short answer is yes.

The long answer is that while subsection 120(1) of The Municipalities Act requires that council and council committees conduct their meetings in public, subsection 120(2) of The Municipalities Act provides that meetings may be closed to the public if the matters being discussed are within the exemptions in PART III of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP).

Part III of LA FOIP includes subsection 15(1). Subsection 15(1) of LA FOIP provides that a head may refuse to give access to a record that discloses agendas or the substance of deliberations of meetings where matters discussed at the meetings could be refused pursuant to Part III or Part IV of LA FOIP.

Part IV of LA FOIP includes subsection 28(1). Subsection 28(1) of LA FOIP provides that a local authority is not to disclose personal information in its possession or control without the individual’s consent except if the disclosure is authorized by LA FOIP.

Since Part IV of LA FOIP enables a local authority to refuse access to personal information, then council and council committees may close its meetings to the public if the matters being discussed include personal information.

What does this mean for municipalities posting agendas and meeting minutes to its website? Information in documents that falls within the exemption subsection 15(1) of LA FOIP and subsection 28(1) of LA FOIP, then, can be withheld (or redacted) prior to the document being posted online.

What privacy considerations should a municipality undertake when publishing council agendas and meeting minutes?

Notification

Before, or at the time of, collection of personal information, LA FOIP requires that municipalities inform individuals of the purpose for which personal information is collected. Therefore, municipalities should notify citizens about how personal information submitted to it could become a part of public council or committee agendas or meetings minutes, and could also be published to the RM’s website. The notice should include the contact information of someone who works for the municipality to answer questions or respond to concerns about the collection of personal information.

Municipalities should consider putting a notice on its website, in brochures, on posters, and on any other medium where citizens can easily see the notice.

Redaction

If documents such as agendas contain personal information, consider providing council members with a redacted version of the document for the council meeting.

Further, if council meeting minutes contain personal information, then municipalities should consider redacting the personal information prior to publishing the minutes on their website.

Data Minimization

When recording the minutes of a council meeting, the municipality should record the least amount of personal information. Better yet, it can attempt to de-identify the information by using terms such as “a Rate payer,” “a Tax payer”, or an initial to represent the person who is involved in a matter being discussed by council, or a council committee.

Review of Practices

Municipalities change and so does technology. Reviewing and revising practices to account for such change can be a good way to stay ahead of the curve. Asking citizens for feedback on the municipalities’ privacy practices may also help municipalities adjust their privacy policies accordingly!

 

Was this page helpful?

Lawyers Bills: Are They a “No Brainer”?

We have now had a few reports that have dealt with the application of solicitor-client privilege exemptions (sections 22 of FOIP and 21 of LA FOIP) to lawyers bills.  In these cases, the Commissioner relied on a Supreme Court of Canada decision Maranda v. Richer, [2003] 3 S.C.R. 193, 2003 SCC67 to find that lawyers bills are subject to solicitor-client privilege.  The Supreme Court asserted that there is a presumption of privilege for lawyers’ bills of account as a whole in order to ensure that solicitor-client privilege is honoured. (See IPC Review Reports 052-2013 and 280-2016 & 281-2016)

When I refer to “lawyers bills”, I mean an invoice or statement of account that is communicated from a lawyer or law firm to a public body after providing legal services.  Some lawyers bills can be quite detailed and list the dates of individual phone calls, tasks performed and the subject matter. 

It is possible for an Applicant to rebut that solicitor-client privilege applies.  To do so, it must provide persuasive arguments that the disclosure of information will not result in the Applicant learning of information that is subject to solicitor-client privilege. Order F15-16 from the Information and Privacy Commissioner of British Columbia lays out a test for determining whether the presumption of privilege has been rebutted.  Applicants, though, are at a disadvantage when having to make arguments for why privilege does not exist to information when they cannot see or examine the information.

So it does seem like a no brainer that solicitor-client exemptions would apply to this type of information, right?

Well… I think every issue in the FOIP World is unique!

A public body still has to be accountable for the public money it spends on legal services.  In Review Report 003-2017, the Commissioner found that the details of payment for legal services in a public body’s accounts payable invoice history report was not subject to solicitor-client privilege.  In other words, some of the information from the lawyer’s bill was entered into the public body’s accounting system, which was the subject of the review.  The Commissioner reasoned that some of the data items in this record, such as purchase order number, voucher number and bank information, was information that the public body assigned to the lawyer’s bill once it was received  – the exemption did not apply to these items.  Further, the name of the law firm did not qualify as it was confirmed through public documents that a particular firm had been engaged by the public body.  The firm’s invoice number and the due date did not reveal the nature of the advice that was sought.  Finally, he also did not find that there was a reasonable possibility that disclosure of the amount of the fees paid would reveal any communication protected by privilege.

Once again, I am reminded that our office must review every record, and the circumstances surrounding it, on a case by case basis.

 

Was this page helpful?

Access and Privacy Rights of Minors Online

On May 3, 2016, our office posted to our website a blog titled, Who Signs for a Child?. Though the focus of that blog was on who can sign for a child under the age of 18 years, the following advice on mature minors was offered:

FOIP and LA FOIP do not contemplate the child asking for his or her personal information. But when children get to the age of what may be considered a mature minor, heads should use their discretion to provide the personal information if the child “understands the nature of the right or power and the consequences of exercising the right or power.” Heads should also look to their governing legislation to see if the Legislative Assembly has provided direction on the rights of the child.

HIPA does contemplate an individual under 18 years of age exercising a right under the Act such as requesting his or her personal information. When such a request is made, it is up to the trustee to determine whether the individual understands the nature of the right or power and the consequences of exercising the right or power.

What further complicates matters is when services being offered to children and adolescents move to the online world. How are access and privacy rights impacted?

Although there does not appear to be any global rules on children’s consent under the new General Data Protection Regulation (GDPR), Article 8 speaks to children’s consent for ‘information society services’ (services requested and delivered over the internet).  It appears that for most services provided to children, parental consent for those under 16 is needed unless otherwise set by Member States.  If offered online, age-verification measures and reasonable efforts to verify parental responsibility for those under the relevant age is a must.

In an interesting decision, PIPEDA Report of Finding #2014-011, dealing with an investigation involving a website aimed at children between the ages of 6 and 13 years of age, the Privacy Commissioner of Canada’s office commented as follows:

112.  The consent provisions of PIPEDA do not expressly speak to age-based consent. Principle 4.3 states that the knowledge and consent of an individual are required for the collection, use and disclosure of personal information. Principle 4.3.2 requires organizations to ensure that individuals are advised of the purposes for which the information will be used and that consent obtained from individuals is meaningful. Meaningful consent means that the individual concerned can reasonably understand how the information will be used or disclosed prior to providing consent.

113.  Meaningful consent becomes a more difficult notion where personal information is being sought from children. Can a child reasonably understand what they are being asked to consent to?

114.  Principle 4.3.6 of Schedule 1 states that consent can be given by an authorized representative (such as a legal guardian or a person having a power of attorney). However, it does not specify under what circumstances this can or should occur.

115.  In PIPEDA Report of Findings #2012-001, we recognized that there was value in users of a Canadian social networking website aimed at teenagers and young adults involving their parents in their online transactions. However, we concluded that PIPEDA did not require parents to provide consent on behalf of their teenager in the context of that website. We concluded in that case that in order to ensure meaningful consent was obtained, the information handling practices of the organization had to be explained in such a way that its teenage users could understand how their personal information would be handled by the website.

116.  Ganz’s Website is aimed at children under 13, a younger demographic group than the one at issue in PIPEDA Report of Findings: #2012-001. Children under the age of 13 have arguably a less sophisticated understanding of online marketing and social media interactions.

122.  We considered it questionable as to whether a child under the age of thirteen opening an account would be able to find this provision in the User Agreement, understand the text, and act accordingly.

Canada Health Infoway has done some work in this area specifically examining adolescent access to PHI in a number of publications including Consumer Health Solutions – Pandora’s Box Adolescent Access to Digital Health Records – Research Summary dated August 2016. In its Executive Summary it states, “Outside of Quebec, statutes do not set an age requirement for a person to access their own PHI, to consent to the collection, use and disclosure of their PHI or to consent to treatment. However, there are other requirements to exercise the rights, such as knowledge, capacity or maturity.” Later it is stated, “the general rule is that a contract cannot be enforced against a minor (although there are exceptions).”

How do you cover your bases? The Privacy Commissioner of Canada offers good advice when dealing with kids online in Collecting from kids? Ten tips for services aimed at children and youth, as follows:

Make clear who is agreeing to terms and conditions. The ubiquitous “I have read and agree to the Terms and Conditions and Privacy Policy” checkbox on registration forms poses an additional difficulty when your users are youth. Is your organization asking the user to agree to these terms, or his or her parent/guardian? Remember, with younger children, the former is not possible given the need for meaningful consent. Moreover, if it is the latter, you must also ask yourself how you are ensuring that the parent/guardian has actually been involved in the process. The answer to these questions needs to be clear to, and consistent between, both you and your users.

Now that we are moving to online access to PHI through patient portals, what, if any, limits should be set as to age of those that can log-in and get direct access to his or her own PHI? Are any associated terms and conditions accepted akin to entering a contract? Our office has not yet had to offer any formal views on the particular issue. We will have to wait and see.

Was this page helpful?

2017 Saskatchewan Connections Conference

The 2017 Saskatchewan Connections Conference is happening May 10 & 11 at Regina’s The Doubletree By Hilton. For more details please vist http://skconnections.ca/sk2017/index

Was this page helpful?

Transitory Records and Access-to-Information Requests

What are transitory records?

The Provincial Archives of Saskatchewan defines transitory records as:

Records of temporary usefulness that are needed only for a limited period of time, to complete a routine task or to prepare an ongoing document. Also, exact copies of official records made for convenience of reference. These records are not required to meet statutory obligations or to sustain administrative or operational functions. Once they have served their purpose and, in the case of convenience copies the official record has been identified, these records should be destroyed in accordance with internal disposal procedures.

What are some examples of transitory records?

As mentioned above, records of short-term value are transitory records. Similar to official records, transitory records can come in any format, including post-it notes, handwritten notes, and electronic records including emails and text messages.

Are transitory records subject to FOIP or LA FOIP requests?

Yes. Although transitory records are routinely disposed, if the public body receives an access-to-information request under FOIP or LA FOIP, then any responsive transitory records in the possession or control of the public body must not be disposed.

The receipt of a FOIP request should freeze all disposition action relating to records responsive to the request.

Public bodies should have processes in place to communicate to employees to not dispose of records that are responsive to a FOIP or LA FOIP request.  It is an offense to willfully destroy records to evade an access-to-information request.  The penalty can be a fine and/or imprisonment.

How long must the public body wait before disposing of the transitory records?

The public body should wait at least one year before disposing of transitory records that are responsive to an access-to-information request. This is because the public body must include the transitory records as it processes the access-to-information request. Then, once the public body responds to the Applicant, the Applicant has one year from the time the response is given to appeal to the Commissioner (subsection 7(3) of FOIP and LA FOIP). Once this time period has expired, then the public body can dispose of the transitory records.

It should be noted that public bodies may continue to destroy transitory records that are not responsive to an access-to-information request according to their records management policy.

 

Was this page helpful?

When the Media Calls (updated)

Every once in a while, a journalist or some other individual will call my office to ask whether a review had been started on a particular request for information or investigation launched into a privacy breach. The policy of this office is to not immediately confirm that a request for review or specific privacy investigation is underway, so time can be taken to consider the privacy and confidentiality obligations that my office has under The Freedom of Information and Protection of Privacy Act (ss. 46 and 53). One consideration is that the name of the applicant is personal information and should not be shared without the requisite need-to-know. I may nonetheless exercise my discretion as Commissioner in certain cases and confirm basic details (i.e., investigation file has been opened).

I think a bit more on the process may make it clearer what is going on behind the scenes once a review or investigation is underway. Briefly, for example, when Intake Officers of this office receive a request for review, they contact the parties and attempt to see if the matter can be settled. Will the applicant narrow his or her request? Will the public body re-visit part or all of its decision to withhold information, reduce a fee or take any steps to provide the applicants with some or part of the information requested? If the matter cannot be settled, a letter notifying the public body, any engaged third party and the applicant that a review has started is sent and an Analyst is assigned. Staff request the public body to provide a copy of the records at issue, index of the records and its submission as to why it is withholding records. Upon receipt of those documents, the Analyst proceeds with the review, asks questions of the public body and if necessary, interviews people and makes a site visit. Once this stage is completed, the final report is prepared, sent to the parties and posted on our website. The name of the applicant is not included in the public report. The public body has 30 days to advise the applicant and my office whether it will comply with the recommendations. After that, the applicant or a third party have 30 days to appeal to the Court of King’s Bench.

You can see a diagram showing the process by clicking here.

It is a pretty straight-forward process, and my office makes every attempt to move the process along quickly so that parties get their decisions as soon as possible. Our goal is to resolve matters within 30 days or issue a report, on average, within 150 days. In certain instances where the public body has failed to issue a section 7 decision, the applicant is requesting a review of the fee quoted or fee waiver decision, it is our objective to issue the report, on average, within 90 days. I ask all that work with us to help us reach these goals.

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.