Rural Municipalities – so, how should you manage personal information?
In Saskatchewan, rural municipalities (R.M.) are governed by The Municipalities Act, and the R.M.’s activities are carried out by an elected council. Some of council activities include, among others: to represent the public and interests of the municipality; to develop and evaluate municipal policies, programs and services; to participate in council meetings; and to ensure council has administrative practices and procedures in place.
Sometimes, it may appear to a council that its activities and The Municipalities Act conflict with The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). For example, pursuant to The Municipalities Act, R.M.s are required to make council minutes publicly available after council has adopted them. The Municipalities Act also states that councils are to conduct their meetings in public. It might appear, then, that R.M.s have the ability to post personal information when attending to council business, but that is not always the case.
The Municipalities Act also states that councils and council committees can close all or part of their meetings to the public if the information is exempt from disclosure pursuant to Part III or Part IV of LA FOIP. If a R.M. does not have an individual’s consent to make their personal information public, then it has to rely on subsection 28(2) of LA FOIP to do so. In so doing, the R.M. should consider the following principles:
- Need to know – the R.M. should disclose personal information on a need-to-know basis; and
- Data minimization – the R.M. should disclose the least amount of personal information required for the purpose.
In Investigation Report 282-2018, the Commissioner reviewed a matter involving the disclosure of personal information in R.M. meeting minutes. In addition to the need-to-know and data minimization principles, the Commissioner recommended that R.M.s implement the following best practices:
- If a R.M. council is discussing correspondence or a matter that contains sensitive personal information (such as health or financial information), the best practice is for the R.M. to provide council members with a redacted version of the personal information, or only the personal information that is necessary for the discussion. The discussion should be closed to the general public or held in camera. After coming out of the closed meeting, the R.M. should then pass a motion with basic or no personal information contained in it.
- In meeting minutes, the R.M. should record the least amount of personal information, although best practice is to record no personal information. For example, in meeting minutes, the R.M. could refer to “an Applicant”, “a Complainant”, “a Rate payer”, “a Tax payer” or could use the initials of the person it is discussing.
- If council includes personal information in its minutes, then before posting to its website, the best practice is to redact that personal information.
- To help the public determine which personal information they provide to the R.M., the R.M. should provide notice, such as through pamphlets or information on its website, about how the R.M. may include the personal information as part of public council or committee meetings, or that the R.M. may publish it to its website.
As you can see, The Municipalities Act and LA FOIP do not conflict – they actually support each other. As a R.M., following the best practices the Commissioner has laid out can help ensure you meet the intent of these pieces of legislation. It can also (hopefully) help you avoid an investigation by the Commissioner!