What Councillors should know about LA FOIP
The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) sets out the access to information and protection of privacy rules that municipalities must follow. As a mayor, reeve or councillor, it is important that you understand these rules. They are intended to promote public accountability, facilitate informed public participation in policy formulation and ensure fairness in government decision-making. These same rules also limit a municipality’s authority to collect, use and disclose personal information. The access and privacy principles of LA FOIP are also enshrined in sections d and e of the Code of Ethics for Members of Council.
The head of the local authority is the mayor, reeve or chairman of the local advisory committee (ss. 2(e) of LA FOIP). The head has all decision-making powers for the local authority under LA FOIP. However, the head can delegate these decision making powers, in writing, to someone else within the local authority (s. 50 of LA FOIP) such as the administrator.
As a councillor you will need to have a clear understanding of what these rules are to ensure that you abide by them, and further, so that you do not create a liability for your municipality.
Access Rules you Should Know
Access Rules for Municipalities
All records of the municipality are subject to LA FOIP: The principle of access to information is simple. An individual has the right to all documents/records in the possession or under the control of the local authority. This is in addition to any information that must be made available for public inspection pursuant other legislation such as The Cities Act or The Municipalities Act.
Some information can be withheld: Only some information can be withheld if a specific exemption applies. The exemptions are found in Part III of LA FOIP. Also, a local authority must be careful to protect privacy when releasing documents. Examples of exemptions include solicitor-client privilege and third party business interests. For more information about exemptions, see the Office of the Information and Privacy Commissioner’s (IPC) Guide to Exemptions available on its website.
LA FOIP establishes a process for dealing with access requests: Part II of LA FOIP sets out rules that local authorities must follow when an access to information request has been received. Special attention should be paid to section 5.1 of LA FOIP which imposes a duty to assist the applicant by responding to a request for access openly, accurately and completely. For more information on what this means, see IPC Resource Understanding the Duty to Assist. See also sections 7 (how to respond to an access request), 8 (severing records) and 9 (fees that can be charged) of LA FOIP.
Cities, towns, villages or rural municipalities all qualify as local authorities.
Access Tips for Councillors
Understand LA FOIP’s application: LA FOIP applies to records in the possession or control of a local authority. However, LA FOIP would not apply to records of Elected Officials if those are collected or generated in the course of conducting political activities. If instead the Elected Official is engaged in carrying out the mandate or functions of the local authority, then LA FOIP most likely will apply to those records.
Examples where LA FOIP applies are your correspondence with municipal officers and employees and your correspondence with non-municipal government officials and employees where you have copied municipal officials and employees or where you are carrying out the business of council.
Examples where LA FOIP may not apply include your election or political records as they are not in the municipality’s possession or control and your emails to constituents unless they are forwarded to or shared with a municipal employee or official.
Understand exemptions: The municipality is responsible for all access to information requests. It is important to understand the access to information process, where exemptions may apply and know what municipal records can and cannot be disclosed by you. Always consult with the head and/or delegate.
Understand record retention policies: In order for your municipality to ensure it is meeting its access duties, the municipality must have access to all of its records. This means that you have a duty to ensure that any information you collect or create in the course of your duties is stored in the municipality’s official storage system. Information created or stored on your personal devices and email accounts is subject to the access rules if the information relates to the mandate of the municipality. Follow the records creation, storage and retention policy of your municipality.
Privacy Rules you Should Know
Privacy Rules for Municipalities
Part IV of LA FOIP describes the rules about what a local authority can do with personal information.
The definition of personal information is found in section 23 of LA FOIP. However, this list is non-exhaustive. In other words, information that is not listed in this subsection may still qualify as personal information. A good rule of thumb for identifying personal information is to ask the following two questions:
- Is it about an identifiable individual?
- Is it personal in nature?
Duty to protect – section 23.1 of LA FOIP requires a local authority to have policies and procedures to maintain administrative, technical and physical safeguards that protect personal information. For more information on the duty to protect, see IPC resource Privacy Breach Guidelines for Government Institutions and Local Authorities.
Collection of personal information – sections 24 and 25 of LA FOIP indicate what personal information a local authority can collect and how it can be collected. Local Authorities should follow the data minimization principle and collect only what is necessary for the purpose.
Accuracy of personal information – ensures local authority collects and uses only accurate personal information.
Use of personal information – local authorities should only use information for the purpose it was collected, or for the same reasons listed for disclosure under subsection 28(2) of LA FOIP.
Disclosure of personal information – Section 28 of LA FOIP indicates that a local authority should not disclose personal information without the subject individual’s consent, except for the reasons listed under subsection 28(2) of LA FOIP or the Regulations such as for the protection of the health or safety of an individual. Accidental disclosures of personal information such as loss or theft is also a privacy breach. Safeguards must be in place to protect against accidental disclosure.
Privacy Tips for Councillors
Collection: You should only collect personal information in three main circumstances:
- the individual consented,
- the information is necessary for the performance of your duties as a councillor, or
- compelling health or safety circumstances exist that create a need to know.
Limit uses and disclosures of personal information: Once you have been entrusted with personal information, you should only use it and/or disclose this personal information for the reason it was shared with you, or with council. A disclosure of personal information by you could result in a privacy breach. This includes discussing personal information at public council meetings. It is important that you seek direction from the head or delegate when in doubt about using or sharing personal information.
Safeguard personal information: You are responsible to ensure that the personal information you receive from the municipality is accounted for and secured. Common safeguards that will help you avoid a privacy breach include leaving personal information at the municipal office and using secure email with strong passwords. If you must travel with portable storage devices such as laptops or cell phones, ensure that they are encrypted and never leave them unattended. Also have a plan for dealing with the records when you retire as councillor.
For more tips about protecting privacy, see the IPC’s resource Best practices for Mayors, Reeves, Councillors, and School Board members in handling records that contain personal information and personal health information available on our website.
Where can you Take Your Questions?
Part of the IPC’s mandate is to ensure compliance with LA FOIP. We are happy to answer any questions related to LA FOIP.
The IPC also has an oversight role. The IPC can review any access related decisions made by the local authority and generally ensure that the local authority has followed proper procedures. With respect to protection of privacy, the IPC may launch an investigation into an incident to determine if a privacy breach occurred and to ensure that the local authority’s response has been adequate.
The IPC thanks Nova Scotia’s Office of the Information and Privacy Commissioner for the inspiration for this resource.