Your online picture can be used by others

Australian officials commit to overhaul the Privacy Act

Ontario Proposing Legislation To Better Protect Children

Sophisticated Cyber attacks on BC

Microsoft to make security a top priority

Ontario introduces cybersecurity bill

Ontario IPC probes government use of non-government email accounts

Federal Privacy Commissioner launches breach reporting tool

Ontario IPC issues guidelines on third party procurement


Why some reviews and investigations cannot pass go (updated)

November 30, 2023 - Diane Aldridge, Deputy Commissioner

If you have ever contacted our office regarding a concern with how an organization (government institution, local authority or trustee) has responded to your access to information request or handled your personal information or personal health information, you would have been told that we are an office of last resort. As the oversight body, we are an appeal body. That means that you first must have made the access request to the appropriate body and waited the requisite period of time, usually 30 calendar days, before bringing your concerns to our attention. The same can be said for privacy complaints, for the most part. But, even once you submit your request/complaint, we don’t immediately open a file as we have to make a decision in terms of if we can proceed.

What do I mean by that? Firstly, we must have jurisdiction. That is, the organization that your request/complaint is directed to qualifies as a government institution, local authority or trustee. Even if it appears this is the case, we also need grounds to proceed. It is much more straightforward in a review if we have grounds as will be evident from the documentation, but the applicant still needs to point out which issues they want us to consider in the review (i.e., fee estimate, manner of access, search, fee waiver, access denied, time extension). So clearly, providing all the necessary documentation is crucial for us to move forward.

With a privacy complaint, if you believe that an organization has breached your privacy, what you bring to us must be specific and convincing. For instance, what personal information or personal health information is involved? On what day/time did the alleged inappropriate or unauthorized collection, use or disclosure of your personal information or personal health information occur? Who was involved? How do you know that this occurred? What proof do you have that would support your assertions?

In either case, if enough information is not provided even after our intake team intervenes, the request/complaint may be dismissed and no formal review or investigation is undertaken by our office. This could happen too if statutory time limits have expired.

If it looks like our office has jurisdiction and sufficient grounds to go forward with a review or investigation, formal notices to the parties are sent indicating that we are proceeding. However, we could still end up discontinuing the review or investigation if we are convinced that the appeal concerns a trivial matter, is frivolous, vexatious, not made in good faith, or for other reasons noted in the legislation. For the most part, the reasons for making an access request(s) or submitting a privacy complaint(s) aren’t relevant, but motives may be considered if actions taken by the submitter of the request/complaint amount to an abuse of process. For example, the following excerpts are taken from our Review Report 225-2015:

  1. Did the Applicant request this review on grounds that are frivolous, vexatious or not in good faith?

[10] Subsections 43(2)(a) and (b) of HIPA provides:

43(2) The commissioner may refuse to conduct a review or may discontinue a review if, in the opinion of the commissioner, the application for review:

(a) is frivolous or vexatious;

(b) is not made in good faith;

[11] This provision enables the Commissioner to dismiss or discontinue a review where it appears the access provisions of HIPA are not being utilized appropriately. …

[12] Personal health information is one of the most sensitive forms of personal information. It is collected primarily for reasons connected with patient care and is collected under circumstances of vulnerability and trust. Therefore, denying someone the right of review should only be permitted in the most extreme of circumstances and when there is compelling evidence to do so.

[13] On the other hand, HIPA must not become a weapon for disgruntled individuals to use against a trustee for reasons that have nothing to do with the Act. …

[16] Depending on the nature of the case, one factor alone or multiple factors in concert with each other can lead to a finding that a request is an abuse of the right of access. …

[62] The rights afforded the public to access under HIPA are accompanied by concomitant responsibilities on the part of Applicants. One of these responsibilities is working in tandem with the trustee to further the purposes of the Act. Actions, on the part of an Applicant that frustrate this approach can be said to be an abuse of this process. Examples include overwhelming a trustee with access requests, not working constructively to resolve issues, making repeated unfounded accusations and being uncooperative or harassing to those who are attempting to assist.

[65] In conclusion, considering all that is before me, I find that the Applicant’s review request is vexatious.

[66] I find that the review under consideration has been initiated on vexatious grounds pursuant to subsection 43(2)(a) of HIPA. I therefore discontinue this review

[Emphasis added]

In the above case, the review was discontinued for the reasons noted, but this not a common outcome. I find in most cases, individuals that come to our office do so in good faith and are eager to cooperate and not surprisingly, those files proceed without complication. So, if unclear at all as to what is required, please contact us.



Categories: Blog

Back to Blog