Managing access to information requests by public sector organizations has never been more challenging than it is today. Complex public-private sector business arrangements, growing expectations for access by the public and increasing volumes of electronic records are all making it difficult to navigate access to information laws in the context of the real world. As a result, I thought that a one hour complimentary webinar would help! I hope you can attend.
What topics will be covered?
- Overview of access to information 101: the basics
- The 3 vantage points: public bodies, applicants & third parties
- Review of recent cases/headlines
- Identifying key legal and PR landmines
- Discussion of trends in access to information
- Practical tips for managing requests in a cost-effective manner
Who should attend?
Public bodies who are subject to access to information laws, private-sector organizations who regularly deal with public bodies and individuals/organizations who routinely initiate access to information requests under public sector access to information laws.
When is the webinar?
Wednesday, January 26th, 2011 from 1 – 2 PM (CST)
Please register <here> (space is limited)
A former administrator in the Rural Municipality of La Broquerie has alleged that town politicians installed hidden video surveillance cameras in nearly every room in the municipality offices to secretly spy on rival councillors, staff and even the public.
Manitoba’s Ombudsman is investigating these explosive allegations. If they are true, it is very hard to image a legal defence. But can the use of covert video surveillance ever be legal?
Continuing a series of blog posts that I’m calling “A Conversation with…“, I’m pleased to post the following conversation with my fellow Manitoban and our Provincial Ombudsman, Irene Hamilton.
Irene Hamilton, and her team of professionals at the Office of the Manitoba Ombudsman (the Ombudsman’s Office”), provides excellent service to Manitobans. Thanks to Irene Hamilton’s leadership, the Ombudsman’s Office has made a number of improvements to its operations over the years. I’m looking forward to seeing the changes to the Ombudsman’s Office website referenced below.
Thanks to Irene Hamilton for agreeing to engage in this online Q & A conversation. If you’d like to learn more about Irene Hamilton, the Ombudsman’s Office, or the issues raised in this conversation, I’d encourage you to visit the Ombudsman’s Office website.
Q. In most other provinces, privacy oversight is performed by an Information and Privacy Commissioner. How does the role of the Ombudsman compare to these positions?
A. In Manitoba, the Ombudsman is the Information and Privacy Commissioner as well. The role and function of the Ombudsman is similar to 10 of the 15 federal, provincial and territorial jurisdictions in Canada that have access to information and protection of privacy laws. In these 10 jurisdictions, the Information and Privacy Commissioner has “ombudsman” powers – that is, the power to comment proactively, investigate complaints and make recommendations to public bodies, but not the power to issue orders. In Prince Edward Island, Quebec, Ontario, Alberta and British Columbia, the Commissioners can issue orders in relation to access to information and protection of privacy.
There are other differences among the jurisdictions as well. With The Personal Health Information Act or “PHIA”, Manitoba had the first information privacy statute in North America dealing specifically with personal health information (as opposed to Manitoba’s Freedom of Information and Protection of Privacy Act, or “FIPPA”, that concerns access to and privacy of other kinds of information). Four other Canadian provinces have enacted similar legislation to PHIA since 1998, when PHIA first came into force here.
Q. The Freedom of Information and Protection of Privacy Act (“FIPPA”) includes, as its title suggests, both access to information and privacy mechanisms. On the face of it, these two terms seem inconsistent. How do we bring them together?
A. The application of the provisions of FIPPA do not create the inconsistency that one might infer from the title.
FIPPA has a set of rules concerning access to information and a set of rules concerning privacy of personal information. These two sets of rules are contained in two distinct parts of the Act and are administered separately.
There is a set of rules on how an individual can formally request access to a particular record under the control of provincial and municipal governments and other public bodies and how the public body is to respond. The general rule is that an individual has the right to see or receive a copy of the requested record, but specific exceptions can apply. One of those exceptions relates to protecting the privacy of information about another individual. The idea is to provide as much of the requested information as possible. This particular set of rules is triggered only when a person makes a formal FIPPA request for information.
The other set of rules in FIPPA is always in operation. These rules set out how provincial and municipal governments and other public bodies are to handle records containing personal information that are in their control while conducting their duties. These rules describe in what situations a public body can collect, use or share personal information and the basic rule is that the most limited amount of personal information necessary is to be handled for a particular situation. While an individual can expect certain privacy, there are specific situations where records about them can be collected, used or shared without their consent — for example for safety, public policy and specific operational reasons.
Q. Your office supports the “Right to Know” initiative. What is “Right to Know” about and why do you support it?
A. “Right to Know” is an international celebration observed annually in late September, to remind people that governments have legislation allowing people to obtain information held by government and other public bodies. The right of access, when used by individuals or organizations like media, helps to improve knowledge about government, scrutinize government and address public issues. “Right to Know”, with its public events and media focus, reinforces the commitment to a culture and spirit of openness, and promotes public awareness of access to information principles and the resources that assist in adherence to the legislation.
Q. Manitoba, like other provincial governments, has introduced Enhanced Identification Cards (“EIC”) to respond to increased security demands at U.S. border crossings. What role has your office played in the development and rollout of EICs?
A. Together with my Privacy Commissioner colleagues, I am of the view that the Enhanced Identification Card or “EIC” — a voluntary identity document for entry into the U.S. by road or water — raises privacy implications. I am pleased to say that my office was consulted early in the development of the Manitoba Enhanced Identification Card and we continued to be involved as the Manitoba Enhanced Drivers License was introduced as well. Through our participation we wanted to accomplish two main goals: 1. to fulfill our oversight role in relation to new government programs or initiatives by providing our comments to ensure the protection of personal information to the extent possible; and, 2. to bring the perspective of the public to the process by asking questions that people might have. In the process, we have promoted providing detailed information to the public so that they can determine if the EIC or EDL is the right card for them. We have also produced a “privacy awareness fact sheet” for persons considering obtaining an EIC or EDL. This is on our web site, at www.ombudsman.mb.ca.
Q. Your office releases summaries of selected access and privacy cases on its website. What is the most common area you investigate and report on?
A. One of our goals for this year is to redesign our website and include regular postings of our reports online for the reference of information privacy professionals as well as the public that will provide a better understanding of how we interpret various sections of the acts, and the basis upon which we come to our conclusions. Having said that, since June 2005 our office has produced dozens of “practice notes” about interpreting and administering various sections and principles of FIPPA and PHIA, probably of greater interest to information privacy professionals than to the public. These, too, are on our Manitoba Ombudsman web site.
We find that the greatest number of complaints that we receive are refusals of access to information under FIPPA. This includes not only responses by public bodies refusing access, but also failures to respond to the applicant. Unfortunately, we also receive numerous complaints about privacy breaches under PHIA.
Q. Looking forward, what kind of privacy developments should we watch for in 2010?
A. The file that will be most time consuming for us will be privacy protection of personal health information in the electronic health record that has been under development in Manitoba and across Canada for some time. Significant funds have been made available to Departments of Health throughout the country to build electronic systems that will connect to provide instantaneous access to health records. The system is designed to promote better care and eliminate administrative repetitiveness. Our view is that the public needs to understand what the electronic health record or “EHR” is, its scope and how their personal health information will be used and shared within that system.
Of the 198 new access complaints that were launched, 134 (68%) dealt with “refused access”. This indicates that the provincial government and public bodies either have to be more willing to grant access when requested or do a better job at explaining their rationale for refusing access. Of the 207 cases that were closed in 2008, 38% of the complaints were supported by the Ombudsman, 35% were not supported and 5% were resolved before the Ombudsman could issue a finding. This indicates that all of the complaints brought to the Ombudsman are not without merit. The public appears to have a relatively good understanding of what their rights are under FIPPA and PHIA.
The Ombudsman has also been proactively involved in the development stages of legislation and programs in order to address potential privacy issues. For example, the Ombudsman expressed concerns about the technology used in Enhanced Drivers Licenses (EIC). Radio Frequency Identification chips store the necessary information on the EICs, but the chips are always “on”, meaning that they can be read by unauthorized individuals. This concern is being addressed by providing the cardholder with a protective sleeve. However, if the sleeve is ripped, torn or used improperly, it will not provide the necessary protection. Therefore, the Ombudsman has stressed that it is essential that individuals understand the privacy implications of opting into the EIC program.
The Ombudsman was also been involved in assessing the use of closed-circuit television monitoring by Winnipeg Police, who have agreed to follow the recommendations of the Ombudsman and will not live-monitor the cameras and will work towards developing retention policies and technology to “sever” individuals from images which are not relevant.
Overall, the Ombudsman largely applauds public bodies and government agencies for addressing privacy concerns in the development phases of new programs and legislation. However, it is clear that public bodies need to do a better job of dealing with access requests.
The Manitoba Legislature is currently debating Bill 219 – The Personal Information Protection and Identity Theft Protection Act.
The Bill has been introduced as a private member’s Bill by Mavis Taillieu of the Opposition Progressive Conservative Party of Manitoba. It seeks to regulate the collection, use and disclosure of personal information by organizations in the private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). It would also establish a duty for organizations to notify individuals who may be affected when the personal information an organization has collected is lost, stolen or compromised. Such a requirement would be groundbreaking in Canada (notwithstanding Ontario’s Personal Health Information Protection Act, which has a mandatory breach notification requirement).
Regrettably, the Government of Manitoba indicated in the Legislative Assembly debate last week that it has two primary concerns with the Bill. The first concern is that the Bill lacks an independent oversight body such as a Privacy Commissioner of Manitoba. Legislative rules prevent private member’s Bills from containing financial penalties and so the Bill could not contain such provisions. However, the government could add those provisions in amendments. In fact, I assisted with the drafting of the Bill and would happily provide the government with the relevant provisions. The second concern raised by the government is that the Bill would introduce legislation in Manitoba that (according to the government) would regulate activities in the private sector already governed by PIPEDA. However, PIPEDA does not apply to the activities of private sector organizations in provinces such as Alberta and British Columbia, both of whom have Personal Information Protection Acts, because PIPEDA does not apply where “substantially similar” provincial legislation exists.
The Bill was first introduced in 2005 and since that time the need for such a law has significantly grown. It’s modelled after Alberta’s Personal Information Protection Act, which provides a more business-friendly and clear legislative scheme than PIPEDA. As I’ve previously argued, it would be good policy for the Government of Manitoba to support the Bill and I once again urge them to do so.
If you want a more business-friendly privacy law in Manitoba, I’d strongly encourage you to contact the Government of Manitoba and Mavis Taillieu to indicate your support.
Additional coverage on this topic by the Canadian HR Reporter here.
If you’re a privacy professional, you’re likely overwhelmed with the ongoing task of staying on top of legal, industry and technology developments. As you know, there’s no shortage of issues these days. Hopefully, this blog is helping your efforts!
But if you work for a private sector organization and haven’t yet signed up for the federal Privacy Commissioner‘s e-newsletter entitled Privacy Perspectives, I’d suggest you do. It contains great information and helps to stay on top of things.
If you’re still in need of ongoing assistance and aren’t already a member of the Privacy Forum, you may want to touch base with me to learn more. It has been a super venue over the last 6 years for information sharing and the current members are an excellent group of individuals and first rate privacy professionals.
My May 7, 2008 column in the Winnipeg Free Press explains the difference between Manitoba’s Information and Privacy Adjudicator and a privacy commissioner, as appointed in almost every other province and at the federal level.