Decisions of Administrative Tribunals – How Much is Too Much?
The proceedings of administrative tribunals often involve sensitive issues such as alleged wrongdoings, traumatizing incidents, and as a consequence disclose personal information. By publishing decisions or notices to the internet, administrative tribunals are attempting to demonstrate their public accountability and be transparent in their decision making process. Though the practice is laudable, the reality is that once an administrative tribunal publishes a decision to its website, it is essentially providing access for anyone in the world to see and use. Having this information available so publicly potentially opens individuals up to identity theft, stalking, discrimination, etc.
This resource is focused on administrative tribunals’ decisions that are published to the internet. The resource provides general non-binding advice and is only meant for consideration for administrative tribunals as they develop their policies and procedures on the publication of decisions to their websites.
What are the rules?
In Saskatchewan, there are three privacy laws that may be applicable to administrative tribunals; The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and/or The Health Information Protection Act (HIPA). These Acts apply to government institutions, local authorities, health regions, trustees, school boards, etc. Organizations subject to these Acts must only collect, use and disclose personal information and personal health information in accordance with the applicable privacy law.
For a full definition of what is considered personal information see subsection 24(1) of FOIP and 23(1) of LA FOIP. Generally, the following is considered personal information:
- information about an identifiable individual;
- is personal in nature;
- the personal views or opinions offered by an individual are the personal information of that person;
- the personal views or opinions of one individual about another person is the personal information of the other person; and
- employment history is considered personal information.
The following is considered personal health information under HIPA. For a full definition see subsection 2(m):
- information with respect to the physical or mental health of the individual;
- information with respect to any health service provided to the individual; and
- registration information.
Open Courts Principle
The open court principle provides that the courts should be open to public scrutiny to ensure the proper administration of justice. The right of the public to access the courts has been clearly articulated by the Supreme Court of Canada. However, there are exceptions to this principle which include instances like publication bans where openness is limited to protect the privacy of the parties involved.
It is also important to remember that administrative tribunals are different from the courts in that administrative tribunals:
- may be subject to freedom of information and protection of privacy laws in Saskatchewan;
- often have citizens appear without legal representation and without knowledge of applicable privacy laws; and
- are not typically dealing with issues where there can be penal consequences.
Need-to-know and Data Minimization
The need-to-know rule is that personal information and personal health information should only be available to those employees in an organization that have a legitimate need to know that information for the purpose of a program or activity of an organization.
The data minimization rule means that an organization should always collect, use and disclose the least amount of personal information or personal health information necessary for the purpose.
These two rules underlie section 28 of FOIP, section 27 of LA FOIP and sections 23 and 26 of HIPA. Regardless of whether or not an administrative tribunal has the authority to disclose personal information or personal health information during their proceedings is not the issue; the issue is how much personal information is necessary to disclose in order to serve the purpose of the tribunal?
To get a little more perspective on need-to-know and data minimization rules, we will look at a few examples:
Saskatchewan Registered Nurses’ Association
A nurse under the Saskatchewan Registered Nurses’ Association (SRNA) received a Notice of Hearing regarding professional misconduct, as the nurse had previously posted on her personal Facebook account her grandparents’ personal health information. The Notice of Hearing could be found on the SRNA’s website, and contained an excerpt from the nurses Facebook page. Subsection 27(4)(i) and section 30 of HIPA authorizes the SRNA to disclose personal health information to a member who is facing a disciplinary hearing. It does not, however, authorize the disclosure to the general public (i.e. through the SRNA website).
Our office received a complaint regarding this matter, and produced a report with our findings; Investigation Report 109-2016. The findings from the Commissioner relevant to this document were:
- The information disclosed qualified as personal health information as defined by HIPA;
- HIPA authorizes the disclosure of personal health information to the member of the SRNA who is being disciplined, not to any person who accesses SRNA’s website; and
- SRNA did not abide by the data minimization principle as outlined in section 23 of HIPA
Since the completion of this report, the SRNA has since changed their procedures regarding publishing decisions to their website, and now redacts personal information from the Notice of Hearing, Discipline Decisions and Penalty Decisions.
“The de-identification of identifiable information should not be at the discretion of the SRNA but it should be done in accordance with HIPA.” – IR 109-2016
Automobile Injury Appeal Commission (Report 2005-001)
A Complainant was concerned about the Automobile Injury Appeal Commission’s (AIAC) practice of publishing the full text of its decisions on its website, which included both personal and personal health information. The individual made a complaint to the IPC. The Commissioner found that there was no legislative requirement to publish decisions on the AIAC website and that the AIAC should follow privacy “best practices” in Saskatchewan.
Since the completion of this report, the AIAC has since changed their procedures regarding publishing decisions to their website. Their decisions now de-identify personal information by using only the initials of the appellant’s name, redacting information such as the city/town of residence, etc.
Here are some steps that our office finds to be reasonable that administrative tribunals may follow in order to ensure that the need-to-know and data minimization rules are followed, while still displaying transparency and public accountability:
- Identify the kinds of personal information the tribunal regularly deals with and determine whether or not including that information is necessary in order to get your point across when posting a decision on the internet.
- Have a Privacy Officer on staff with the knowledge of applicable access and privacy legislation. This person should be responsible for ensuring the tribunal has appropriate policies and procedures concerning what can and cannot be done with personal information, and make sure that all staff are familiar with these policies.
- If there is no requirement for internet publication, tribunals should consider whether or not that extra step is necessary.
- If a tribunal decides it is necessary to publish decisions online, consider de-identifying information such as a person’s name and removing unnecessary personal information. Alternatively, if a tribunal decides it will publish its decisions on its website, then, write the decision (from the beginning of the process) in such a way that the parties are de-identified and the least amount of personal information is disclosed.
- Notify citizens of the types of personal information that may be published on the internet before they involve the tribunal or commence proceedings.
- Look at personal information of different individuals and the role each plays in the process (i.e. Family members, witnesses); some may need to be identifiable but not necessarily others.