Non-Parliamentary Submissions by the OPC on Privacy Issues

Revitalizing access to information

Submission to the Treasury Board of Canada Secretariat

June 30, 2016

Information and Privacy Policy Division
Treasury Board of Canada Secretariat
Flaherty Building, Floor 04
90 Elgin Street
Ottawa, ON K1A 0R5

Subject: Submission on Revitalizing access to information

We would like to take this opportunity during the government's consultation of the federal Access to Information system and the state of the law to provide some thoughts on the intersection between facilitating information access while also upholding fundamental privacy protections. We strongly support the government's objective of greater openness and transparency and are pleased to participate in the deliberations on how best to achieve that important objective in the interest of Canadians we serve. We also note the active role taken by the House of Commons Standing Committee on Access to Information, Privacy and Ethics, which earlier in June issued findings and recommendations on improving Canada's access to information regime.^{Footnote 1}

By way of background, my mandate is to oversee compliance with both the Privacy Act (PA), which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law. The mission of my Office is to protect and promote the privacy rights of individuals.

As I have indicated on numerous occasions to Parliament, the Access to Information Act (ATIA) and PA are intended to work together as a seamless code. ^{Footnote 2} The words of the Supreme Court of Canada are particularly apt on this point: "The right of access to government information, while an important principle of our democratic system, cannot be read in isolation from an individual's right to privacy." ^{Footnote 3} Given this, my view is that changes to one Act must necessarily take into account the other. In other words, the review of the two Acts should take place concurrently.

I fully agree with the Information Commissioner that legislative renewal is long overdue; in fact, review of both acts has become a matter of some urgency. However, the government has indicated its intention to proceed in two steps: early changes to the ATIA on selected issues, to be followed by a more systematic review of that Act in 2018. While we would prefer another approach, we take note of the government's intention, and we are hopeful that the longer term study will include the PA.

If the government's approach is maintained, we suggest setting aside those specific ATIA amendments that impact the scope of the personal information exemption or otherwise affect individuals' right to privacy until both Acts can be more carefully reviewed in tandem, not isolation. In that regard, I advocate not for delay, but rather underscore the importance of reforming the Acts in unison on issues that lie at the intersection of both.

What follows below are recommendations for certain areas of consultation where amendments to the ATIA would impact the PA either directly or indirectly, and by indirectly we mean changes to the ATIA that would likely result in parallel changes to the PA, for instance.

Open Government

There are compelling reasons to move towards the "open by default" model for government records. It would facilitate access to information by taxpayers to whom governments are accountable, allow for informed decision-making by an engaged citizenry, support greater transparency and openness fundamental to a healthy democracy, as well as help alleviate stress on the over-burdened administrative system in place to process ATIA requests.

Similarly, providing access to one's personal information is a critical enabler of transparency and accountability. The purpose of the PA was to allow individuals to know how their personal information is used and shared with others. This was also to be a means to hold governments to account for administrative decisions made about individuals. Both ATIA and PA serve the ends of more open, transparent government.

In other words, at the conceptual level, more open, transparent government is an important policy objective. At the same time, personal information (both identifying an individual and cases where a person is identifiable) must also continue to be protected, particularly within an environment of open government. Access and privacy rights should be pursued as parallel goals, not separate streams, and while this can be challenging at times, we are confident these rights can be reconciled.

Recommendation: We support the policy objectives of Open Government as well as the need to protect privacy.

Personal Information Exemption

By way of example, the exemption for personal information under the ATIA must be carefully thought through, given the current state of the law that recognizes "privacy is paramount over the right of access to information".^{Footnote 4} This is not to say that privacy is, or should be, an absolute override to access, but this weighting of the imperatives at play needs to be factored into decision-making. I believe the current override under subsection 8(2)(m) of the Privacy Act, which permits disclosures made in the public interest, generally works well, with due consideration given to all relevant factors and with appropriate oversight by my office. Furthermore the dual objectives of providing access and protecting privacy are carefully balanced under the current exemption by allowing access if personal information can be severed from the records.

The Office of the Information Commissioner of Canada (OIC) has suggested adopting a model similar to that found in several provinces that take another approach to balancing privacy and access that arguably reverses the onus and changes the threshold for public interest disclosure. We would note that in the recently completed review of the ATIA by the House Standing Committee on Ethics, Privacy and Access to Information, privacy implications were not fully examined.^{Footnote 5} While the OIC perspective merits consideration, this should not be done in isolation. Rather, it should be part of a wider, more holistic review, encompassing both Acts and their underlying policy aims.

However, if the government wishes to adopt the provincial model of a public interest override instead of the current federal law, we suggest that the interests of the affected individual should be protected by giving that individual the opportunity to intervene before their personal information is disclosed. This right of intervention would be similar to the right given to third parties in respect of confidential information under subsection 20(1) of the current ATIA.

Recommendation: The current ATIA exemption for personal information and the public interest override provisions of the PA should remain in place until an in-depth study of both Acts would determine whether to maintain or change the balance struck by Parliament when it adopted both Acts as a "seamless code".

Order-making power

Like the OIC, we think the current ombudsman model is inefficient and under challenge. In that regard, we do not favour the status quo. Order-making is certainly one solution deserving of consideration, but it is not the only possibility. In our submissions to the House Standing Committee on Ethics, Privacy and Access to Information, we have stated that the order-making model may carry certain legal risks, that the Newfoundland and Labrador model also deserves consideration and that we would make final recommendations following a careful study of potential options. We plan to make these recommendations early this fall.

Allowing the Information Commissioner, who at the federal level has the primary mandate to promote access, to order disclosure of personal information would effectively reverse two principles of the current law. First, that considerations of privacy are paramount over access, and second that the Privacy Commissioner has exclusive jurisdiction over privacy protection.^{Footnote 6} While the OIC recommendations deserve all due consideration, they cannot be properly assessed or adopted in a silo, absent a concurrent review of the PA and the ATIA. The substantive provisions and the role of Commissioners should be considered together.

Recommendation: Allowing the Information Commissioner to order disclosure of personal information should not be adopted absent a concurrent review of the PA and the ATIA.

Cabinet override on orders

Should an order-making model ultimately be adopted, we would favor in this model a process for judicial review rather than ministerial veto. Such an avenue would permit the government to raise objections against release, but allow also for other arguments from the parties involved, with an independent, impartial court providing the ultimate decision. We recognize that the government may wish to give enhanced protection to information of a national security nature, and the Canada Evidence Act could offer potential solutions in this regard.

Recommendation: Should an order-making model ultimately be adopted, we would favor in this model a process for judicial review rather than ministerial veto.

Provide requestors with an explanation when information cannot be released

In principle we support the provision of reasons where access is denied. A rationale for such decisions is generally required under administrative law and this clarity would ultimately strengthen access provisions. At the same time, the way exceptions under the PA are presented currently are often self-explanatory and individuals receive a list of exceptions applied to their request as well as additional information on the exercise of discretion. Given that, in practice, reasons are generally self-evident and, given the operational cost of having to provide reasons in all cases, we think it may be prudent to require disclosure of reasons only upon request of individuals.

Recommendation: Both Acts should be amended to provide for the right to reasons, upon request.

Frivolous or vexatious complaints

Our Office also has had some experience with frivolous and vexatious complaints, both under the PA and PIPEDA. Such complaints affect our ability to manage caseloads better and to focus on issues that affect broader concerns. We appreciate that discretion could be seen by some as limiting access. However, some careful exercise of discretion may actually be necessary in order to properly manage limited resources in a way that maximizes the meaningful promotion of rights.

We take no position on the granting of the OIC this discretion. For our part, we certainly would appreciate reform that would allow us to better manage our own caseload. However, we believe the question in the Privacy Act context deserves careful analysis, with particular consideration of the broader discretionary powers under PIPEDA. We believe that the comprehensive review is the best time to consider these issues for the purpose of the PA.

Scope of application of the ATIA

As indicated above, given the ATIA and PA are designed to function as a "seamless code", any changes in scope to the former must take into account the latter. To that end, we would be in agreement to extend the scope of the ATIA and PA to encompass Ministers' Offices, including the Prime Minister's Office, since this supports an individual's right of access to information, including their own personal information, regardless of where in a government institution it is held.

At the same time, as noted in the consultation, constitutional questions may arise from extending the scope to include the administrative bodies that support Parliament and the courts. As a consequence, we would suggest a need for additional examination of the full potential impact of extending either Acts to these institutions.

Recommendation: The Access to Information Act and the Privacy Act should both be amended to cover Ministers' Offices and the Prime Minister's Office. Broader application of the Acts to other branches of government should be studied in detail before proceeding.

Legislative review

We believe that ongoing legislative review of the ATIA and the PA every five years is desirable, and would allow Parliament to assess whether the legislative framework was functioning as expected, particularly given rapid changes in technology. We note that some provincial access and privacy legislation (e.g. Quebec and Newfoundland and Labrador) includes a five-year review, and that British Columbia's is to be reviewed on a six-year cycle.

Recommendation: The Access to Information Act and the Privacy Act should be amended to include a mandatory ongoing review every five years.

Strengthening performance reporting

We would be strongly in favour of improved reporting from organizations around both ATIA and PA. Good transparency reports serve multiple ends: they reinforce internal accountability, they provide an ongoing impetus to improve operations and service, they shine a light on problem issues and they educate the general public about both their rights (as citizens) and the culture of the organization in question.

Under both the ATIA and PA, existing reporting obligations would benefit from being expanded, made more accessible and given greater prominence within department's proactive disclosure section of their website. We believe that this move towards openness would support the government's stated objectives of transparency, and restore faith in the access to information system as a whole.

In addition, as recommended to ETHI as it examined this issue, we believe transparency reporting should also cover obligations for government institutions to report on use of lawful access powers, as another example of how reporting obligations could better inform the public.^{Footnote 7}

Recommendation: Performance and transparency reporting around both the Access to Information Act and the Privacy Act should be strengthened and augmented.

Urgent Amendments

As mentioned in the introduction above, it seems clear that both the PA and ATIA are in urgent need of updating. If the government ultimately opts to proceed in two phases, it is not clear to us why urgent amendments would be limited to the ATIA. As mentioned before the ETHI Committee during its study, technology has outpaced the PA in terms of collection, sharing and protection.

I would therefore take this opportunity to stress that three amendments in particular be made in the short term for the PA specifically: the need to adopt an explicit necessity threshold for collection, a breach notification provision made explict in the Act and a requirement for written information-sharing agreements with prescribed content. Our submission to a review of the Act currently under way in Parliamentary committee provides more context and elaboration on these particular issues.^{Footnote 8}

Recommendation: If the government proceeds in two steps, the first step should include our three suggested amendments.

Open government and increased transparency remain critical areas for government reform and I thank you for the opportunity to provide my input into this important process.

Sincerely,