Updated: Chapter 5 of the Guide to FOIP is now available! Click on Guides, IPC Guide to FOIP for more information.

Interview with Michael McEvoy, Information and Privacy Commissioner of British Columbia

Interview with Michael McEvoy, Information and Privacy Commissioner of British Columbia

I had the pleasure to talk to Michael this January about legislative initiatives in his province. The government introduced Bill 22, an act to amend the Freedom of Information and Protection of Privacy Act (public sector legislation) and the special Committee report on BC’s private sector legislation. He discusses the changes he likes and the concerns he has.

Please click here to listen to Episode 6 of Un-redacted, The Sask IPC Podcast to hear more about what is happening in British Columbia.

 

Discussion with Denise Doiron, Information and Privacy Commissioner of PEI

Bill 118 regarding non-disclosure agreements was given royal assent on November 17th 2021 in Prince Edward Island (PEI). I discussed the bill, its history, its main features and its application with Denise Doiron, the Information and Privacy Commissioner in PEI. Check out Episode 5 of Un-redacted, The Sask IPC Podcast here for more information on this discussion.

Podcast: A discussion with the Ontario Information and Privacy Commissioner on private sector privacy legislation

First Podcast

I thought it was time I entered the world of podcasts. It is an excellent tool for having a discussion with someone who has expertise in a particular area. It works best when it is conversational and allows greater time to be spent on a topic. My first guest is Patricia Kosseim, the Information and Privacy Commissioner of Ontario. We discussed the Ontario government’s white paper on private sector access and privacy legislation and her response to the proposals contained in that white paper.

Please listen and let me know how I might do better.

Un-redacted, The Sask IPC Podcast | IPC (oipc.sk.ca)

An activity booklet for kids

The Ontario Information and Privacy Commissioner released a privacy activity book, Privacy Pursuit! Games and Activities for Kids, to help kids better understand and protect their online privacy.

In her blog she says:

This new activity booklet is designed to help kids learn more about online privacy through games like word searches, crossword puzzles, cryptograms, and word matches, among other fun activities. Through these exercises, kids will pick up some easy-to-understand tips that will help them watch out for scams, protect their privacy, and stay safe online. Some thought-provoking questions will also guide kids through a process of self-discovery by reflecting on what privacy means to them and how to respect the privacy of others through caring and empathy.

Check it out and see if it increases the awareness of your children regarding privacy.

 

What about the email attachments?

The majority of the time, records related to communications between parties are now in the form of emails. These may be single emails, or an email thread comprised of a number of emails between different parties. In some cases, the emails or email threads may contain attachments.

Unless the applicant has indicated they are not interested, the public body or trustee should treat email attachments as responsive to the access to information request. In Review Report 297-2019, the Commissioner determined that when the public body provided a copy of the responsive record, it did not include an attachment to an email. In that Report, the Commissioner indicated that public bodies should ensure all responsive records are identified. In Review Report 381-2019, the Commissioner noted that, “it is important that when public bodies are identifying records responsive to a request, it also identify any attachments to emails.”

This is straightforward if it involves a single email or is visible in the most recent email of an email thread. If attached to earlier responses within an email thread, the email header information may not show the attachment. In these cases, when reviewing the record, keep your eyes open for other evidence of attachments otherwise hidden.

Additionally, if public bodies are trying to make a prima facie case that solicitor-client privilege applies by providing an affidavit of record, it must ensure the affidavit of record identifies all records it is claiming solicitor-client privilege over, including attachments. As my office does not review the records in these cases, my office would not have the ability to identify emails where there was an attachment. This is why it is imperative that the public body’s affidavit of record identify any attachments to emails.

To help ensure that public bodies or trustees provide email attachments, it needs to have appropriate records management practices in place. As referenced in Review Report 007-2019 at paragraphs [24] and [25], public bodies should not use its email accounts as a means of storing its emails. Public bodies should provide employees with appropriate guidance on the proper storage and management of any emails received. This includes guidance on regularly saving official government records to their appropriate location in the public body’s filing system or electronic document management system. Public bodies should ensure that email records, including any attachments, are stored and managed in a consistent manner as with all other official government records. Ensuring all records are stored and managed appropriately will assist FOIP Coordinators when undertaking a search for records responsive to a request.

Why some reviews and investigations cannot pass go

If you have ever contacted our office regarding a concern with how a public body (government institution or local authority) or trustee has responded to your access to information request or handled your personal information or personal health information, you probably heard that we are an office of last resort. As the oversight body, we are an appeal body. That means that you must first have made the access request to the appropriate body and waited the requisite period of time before bringing your concerns to our attention. The same can be said for privacy complaints, for the most part. But, even once you submit your request/complaint, we don’t immediately open a file as we have to make a call in terms of if we can proceed.

What do I mean by that? Firstly, we must have jurisdiction. That is, the body that your request/complaint is made involves a public body or trustee. Even if it appears this is the case, we also need grounds to proceed. It is much more straightforward in a review if we have grounds as will be evident in the documentation, but the applicant still needs to point out which issues they want us to consider in the review (i.e. fee estimate, manner of access, search, fee waiver, access denied, time extension). So clearly, providing all the necessary documentation is crucial for us to move forward.

With a privacy complaint, if you believe that a public body or trustee breached your privacy, what you bring to us must be specific and convincing. For instance, what personal information or personal health information is involved? On what day/time did the alleged inappropriate or unauthorized collection, use or disclosure of your personal information or personal health information occur? Who was involved? How do you know that this occurred? What proof do you have that would support your assertions?

In either case, if enough information is not provided even after our intake team intervenes, the request/complaint may be dismissed and no review or investigation is undertaken by our office. This could happen too if statutory time limits have expired.

If it looks like we have jurisdiction and sufficient grounds to go forward with a review or investigation, notifications to the parties are sent indicating that we are proceeding. However, we could still end up discontinuing the review or investigation if we are convinced that the appeal concerns a trivial matter, is frivolous, vexatious, not made in good faith, or for other reasons noted in the legislation. For the most part, the reasons for making an access request(s) or submitting a privacy complaint(s) aren’t relevant, but motives may be considered if actions taken by the submitter of the request/complaint amount to an abuse of process. For example, the following excerpts are taken from our Review Report 225-2015:

  1. Did the Applicant request this review on grounds that are frivolous, vexatious or not in good faith?

[10] Subsections 43(2)(a) and (b) of HIPA provides:

43(2) The commissioner may refuse to conduct a review or may discontinue a review if, in the opinion of the commissioner, the application for review:

(a) is frivolous or vexatious;

(b) is not made in good faith;

[11] This provision enables the Commissioner to dismiss or discontinue a review where it appears the access provisions of HIPA are not being utilized appropriately. …

[12] Personal health information is one of the most sensitive forms of personal information. It is collected primarily for reasons connected with patient care and is collected under circumstances of vulnerability and trust. Therefore, denying someone the right of review should only be permitted in the most extreme of circumstances and when there is compelling evidence to do so.

[13] On the other hand, HIPA must not become a weapon for disgruntled individuals to use against a trustee for reasons that have nothing to do with the Act. …

[16] Depending on the nature of the case, one factor alone or multiple factors in concert with each other can lead to a finding that a request is an abuse of the right of access. …

[62] The rights afforded the public to access under HIPA are accompanied by concomitant responsibilities on the part of Applicants. One of these responsibilities is working in tandem with the trustee to further the purposes of the Act. Actions, on the part of an Applicant that frustrate this approach can be said to be an abuse of this process. Examples include overwhelming a trustee with access requests, not working constructively to resolve issues, making repeated unfounded accusations and being uncooperative or harassing to those who are attempting to assist.

[65] In conclusion, considering all that is before me, I find that the Applicant’s review request is vexatious.

[66] I find that the review under consideration has been initiated on vexatious grounds pursuant to subsection 43(2)(a) of HIPA. I therefore discontinue this review

[Emphasis added]

In the above case, the review was discontinued for the reasons noted, but this is an uncommon outcome. I find in most cases, individuals that come to our office do so in good faith and are eager to cooperate and not surprisingly, those files proceed without complication. So, if unclear at all as to what is required, please contact us.

 

Saskatchewan Information and Privacy Commissioner Tables 2020-2021 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has tabled his office’s 2020-2021 Annual Report: Change is in the Air, with the Legislative Assembly.

In his report, the Commissioner addresses the need to update Saskatchewan’s access and privacy legislation. The Freedom of Information and Protection of Privacy Act and The Local Authority Freedom of Information and Protection of Privacy Act were implemented in 1992 and 1993 respectively, at a time when paper records were the norm. Society has shifted. Technology and the digitization of information is now the rule. Kruzeniski stated:

“A vast amount of information about each of us is housed in databases, many of which are accessible by the internet. We look up information, we order things, and we pay bills and communicate with one another through the utilization of these databases and the internet. It is time that we modernize our access and privacy legislation to take this into account.”

The Commissioner concluded by summarizing the legislative changes that are happening in access and privacy jurisdictions across the country.

 

Media contact:
Kara Philip, Manager of Communication
Telephone: 306-798-2260
Email: kphilip@oipc.sk.ca

 

News Release for 2020-2021 Annual Report

What is evidence in a review?

Simply saying something is true doesn’t always make it so. For example, telling me a particular store is closed on a given holiday won’t necessarily make me believe it is. Showing me the store’s website holiday schedule is likely to make me believe it a bit more. Driving me by the store on Christmas day and showing me its doors are locked will convince me.

What does this have to do with evidence? In the access and privacy world, evidence supports your positions in meeting the burden of proof, which is placed on the head of a government institution pursuant to section 61 of FOIP or a local authority pursuant to section 51 of LA FOIP or a trustee pursuant to section 47 of HIPA. Chapter 2 of the IPC Guide to FOIP and Chapter 2 of the IPC Guide to LA FOIP define “burden of proof” as the “obligation of one of the parties in a review to persuade the Commissioner to decide an issue in its favour”. The IPC Guide to HIPA’s definition is similar.

When the Commissioner considers if a public body or trustee has met its burden of proof, he does so based on a balance of probabilities or preponderance of the evidence. Under a review and after considering a public body’s or trustee’s arguments, the Commissioner needs to be able to say, “I think it is more likely, or more probable, than not” that whatever is being argued is the case (Guide to FOIP, p. 41). For example, when the Commissioner considers if a public body has met its burden of proof with respect to Part III of FOIP or LA FOIP, the starting point is considering the tests the IPC has laid out in Chapter 4 of the IPC Guide to FOIP and Chapter 4 of the IPC Guide to LA FOIP. In applying these tests, the Commissioner considers the arguments or assertions the public body makes in defending its application of the exemptions at issue, and also any supporting evidence the public body or trustee provides to bolster its positions or assertions.

Chapter 2 of the IPC Guide to FOIP, Chapter 2 of the IPC Guide to LA FOIP, the IPC Guide to HIPA and Part III of IPC’s A Guide to Submissions all cover the topic of evidence and making your case. The Commissioner has also covered the topic of providing evidence in various reports, including Review Report 205-2019, 255-2019 concerning the Rural Municipality of Sherwood. Regarding the topic of evidence, the Commissioner had this to say at paragraphs 130 to 132:

[130]   Evidence is the material that parties must submit in reviews/investigations to establish the facts on which they are relying. Arguments are the reasons why a party thinks that the evidence shows certain facts to be true, or why the Commissioner should interpret the law in a particular way, so as to make the decision that the party wants the Commissioner to make.

[131]   Parties may not succeed in a review if they do not provide evidence to support their arguments. If the success of an argument depends on underlying facts, providing the argument alone is not sufficient.  Examples of evidence include affidavits, expert reports, news articles, meeting minutes, policy documents or contracts. In a review, the records at issue are treated as evidence. Although news articles are not generally thought of as reliable evidence, they may be relevant in cases such as where a party is trying to demonstrate that something is publicly available, or where personal information has been disclosed without authority.

[132]   It would not be sufficient to provide my office with records and leave it up to my office to draw from the records the facts on which the decisions will be based. In addition, it would not be sufficient to simply state “access is denied because of section 18.” It is up to the local authority to ‘make the case’ that a particular exemption applies. That means presenting reasons why the exemption is appropriate for the part of the record that has been withheld. This is usually done in the form of written representations, commonly called a submission.

Further to this, in Eaton v University of Regina, 2019 SKQB 127, the court considered if the public is entitled to know who funds research conducted at a public university and who receives the funding. In their analysis, Justice McCreary stated the University of Regina could use hypothetical examples to support an argument, but that their examples needed to be backed by facts rather than speculation or opinion. Such facts could be established in other materials. In other words, examples may provide perspective on a matter or help someone visualize what you mean, but you still need to back up your examples with facts and evidence.

Also, public bodies need to understand it’s not always obvious to the IPC what a record consists of, or what harms may come from its release. For example, in Review Report 196-2020 concerning the Ministry of Highways, the Commissioner considered Highways’ assertion that releasing forecast costs in a financial table could lead individuals to know the details of a negotiation pursuant to subsection 18(1)(d) of FOIP. The Commissioner ultimately found Highways did not make its case because it failed to link the forecast costs in the table to the negotiations, which is required in order to find this subsection applies. The Commissioner added that, on the face of the record, the forecast costs did not make this link apparent, but what may have supported Highways’ assertions is if it provided the IPC with supporting documentation such as briefing notes or decision items – in other words, evidence.

Evidence, or the lack thereof, can make or break a position taken or assertion made. It can include, among others, documents such as affidavits, expert reports, meeting minutes, policy documents, briefing notes, decision items or contracts – whatever is appropriate in the circumstance to support your position. After he considers your arguments or assertions – and evidence – you want the Commissioner to be able to say, “I think it is more likely, or more probable, than not”. Because simply saying something is true doesn’t always make it so.

 

Facial recognition – the path forward?

The media has focused considerable attention on facial recognition (FR). Access and privacy commissioners have been focusing on the issue too. The Ontario Commissioner has just posted an excellent blog on Mugshots to megabytes:  facial recognition has made privacy protection more urgent than ever.

The privacy protection authorities for each province and territory of Canada and the Office of the Privacy Commissioner of Canada have jointly issued a draft privacy guidance on facial recognition for police agencies. It is draft because we are embarking on a consultation across Canada.

The federal privacy commissioner has filed a special report on facial recognition technology. The report deals with the use of Clearview AI’s facial recognition technology by the Royal Canadian Mounted Police.

If you have an opinion or comment on the use of facial recognition by police forces, check out the Notice of Consultation and Call for Comments. This document outlines a series of questions and suggests the procedure for giving written feedback. Submissions may be sent via email to OPC-CPVPconsult1@priv.gc.ca until October 15, 2021. Feedback may be sent in the form of an email or Word document, in either official language. When submitting feedback, please provide your name and contact information and also indicate which category best represents your perspective (e.g. individual, academia, business, civil society/nonprofit, business association, government, etc.). In terms of what will happen with your feedback, see the feedback procedures section of this document.

This consultation allows you to take part in a debate that has been going on for some time. I encourage you to provide your input.

Mediation or case-by-case privilege

In the Commissioner’s Review Report 065-2020, he considered if mediation or case-by-case privilege applied to the records in question. The public body had claimed mediation or case-by-case privilege pursuant to subsection 22(a) of The Freedom of Information and Protection of Privacy Act (FOIP).

The Commissioner considered orders issued by the Office of the Information and Privacy Commissioner for Prince Edward Island (PEI IPC) and the Office of the Information and Privacy Commissioner of Alberta (AB IPC) in his analysis of the public body’s claim of mediation or case-by-case privilege. I will briefly describe the orders by PEI IPC and AB IPC.

In Order FI-09-005, the PEI IPC summarized what the Ontario Superior Court of Justice Divisional Court and the Supreme Court of Canada has said on mediation privilege and how it is considered on a case-by case basis:

In Rudd v.  Trossacs Investments Inc. 2006 CanLII 7034 (Ont.  S.A.), Swinton, J. reviewed the case law in respect of mediation privilege. At pp. 25-30, the justice says:

[26] Common law principles have recognized a privilege for confidential communications in certain important societal relationships.  In Slavuytych v.  Baker (1975), 1975 CanLII 5 (SCC), 55 D.L.R.  (3d) 224, the Supreme Court of Canada held that the four conditions from Wigmore on Evidence should be applied to determine whether communications are privileged (at 228):

(1) The communications must originate in a confidence that they will not be disclosed.

(2) The element of confidentiality must be essential to the maintenance of the relationship in which the communications arose.

(3) The relationship must be one which, in the opinion of the community, ought to be “sedulously fostered”.

(4) The injury caused to the relationship by disclosure of the communications must be greater than the benefit gained for the correct disposal of the litigation.

[27] In Slavuytych, the Court held that a document submitted in a university tenure process was privileged – in part because the document was labeled “confidential”, and in part because of the importance of confidentiality in the tenure process, where individuals are asked to give their frank opinion of colleagues.

Swinton, J.  also refers to a more recent case from the Supreme Court of Canada, saying:

[28] In M.(A.) v. Ryan 1197 CanLII 403 (S.C.C.), (1997), 1997 CanLII 403 (SCC), 143 D.L.R. (4th) 1 (S.C.C.), the Supreme Court reaffirmed the approach in Slavuytych, making it clear that privilege is to be determined on a case by case basis (at para.  20).

In my opinion, the Supreme Court of Canada’s views on the existence of legal privilege, outside of solicitor-client privilege or parliamentary privilege, still prevails.  Thus, it is a matter of determining whether, on the facts of the case, the conditions set out in Wigmore on Evidence have been met.

[Emphasis added]

Further, in Order 96-020, the AB IPC provides that case-by-case privilege can apply to two types of records: 1) private records, or 2) Crown records. Different criteria will apply to each type of records in determining whether case-by-case privilege applies. If the records are “private records”, then the “Wigmore criteria” as set out in PEI IPC’s Order FI-09-005 (quoted above) can be used to determine if case-by-case privilege applies. If the records are Crown records, then AB IPC indicated that the Crown “must put forth a proper claim based on the criteria for public interest immunity” in determining if case-by-case privilege applies. AB IPC said:

[79.] For a case-by-case privilege to attach to Crown records, the Court in Carey v. Ontario said that the Crown must put forth a proper claim based on the criteria for public interest immunity. Those criteria, which have been adopted by Leeds v. Alberta (Minister of the Environment) (1990), 69D.L.R. (4th) 681 (Alta. Q.B.), are:

(1) The nature of the policy concerned.

(2) The particular contents of the documents.

(3) The level of the decision-making process.

(4) The time when a document or information is to be revealed.

(5) The importance of producing the documents in the administration of justice, with particular consideration to:

(i) the importance of the case

(ii) the need or desirability of producing the documents to ensure that the case can be adequately and fairly represented

(iii) the ability to ensure that only the particular facts relating to the case are revealed.

(6) Any allegation of improper conduct by the executive branch towards a citizen.

In Review Report 065-2020, the Commissioner determined that the records were private records. As such, he applied the Wigmore criteria to determine if mediation or case-by-case privilege applied to the records. To see the Commissioner’s analysis, findings, and recommendations, check out the report here.

In Review Report 171-2019, the Commissioner determined that records were Crown records. Therefore, he adopted the public interest immunity criteria set out in AB IPC Order 96-020.

When considering if mediation or case-by-case privilege applies to records, public bodies should do the following:

  • Determine if the records are “private records” or “Crown records”.
  • If the records are “private records”, then apply the Wigmore criteria to determine if mediation or case-by-case privilege applies.
  • If the records are “Crown records”, then apply the public interest immunity criteria.

In either case, if public bodies are claiming the records fall into either category, then the public body should be ready to make the case in the event a review by our office is undertaken as the burden of proof rests with the public body.