Consultation - Personal Information,
March 13, 2001

Summaries of Discussions

These summaries highlight the main points made in discussions at each of the roundtables and during the plenary sessions. They are not minutes or verbatim transcripts but rather a synopsis of the views of those participating in the consultation.

Participating Institutions (21)

Agriculture and Agri-Food Canada
Canada Customs and Revenue Agency
Canadian Food Inspection Agency
Canadian Human Rights Commission
Citizenship and Immigration Canada
Correctional Services
Department of Fisheries and Oceans
Department of Justice Canada
Department of National Defence
Health Canada
National Archives of Canada
Natural Sciences and Engineering Research Council
Parks Canada
Public Service Commission
Public Works and Government Services Canada
Royal Canadian Mounted Police
Social Sciences and Humanities Research Council of Canada
Standards Council of Canada
Statistics Canada
Transport Canada
Veterans Affairs Canada

Part 1: Issues and Concerns Regarding Personal Information

Participants generally agreed that the Access to Information Act and the Privacy Act in combination strike a good balance between the citizen's right to privacy and the right to be informed on government activities, thereby allowing more direct participation in democracy. Many felt however that a wider public understanding is needed of how both Acts complement one another in protecting personal information. The following concerns and suggestions were identified in discussions among participants grouped in five "round tables".

• Clearer guidelines on when personal information can be released and when it must be protected would assist departments in providing consistency in responses to ATI requests. For example, when to protect the names of ATI requestors as personal information was identified as requiring clarification either in law or in policy.
  
  
• Greater clarity is needed for the term "publicly available". The lack of a generally accepted meaning of this term across government leads to inconsistency in responses to requests that involve personal information that may or may not be publicly available.
  
  
• Protection of public servants' personal information was noted as necessary under some circumstances. For example, when an employee requests access to notes on internal harassment investigations, the names of those interviewed by investigators may be seen by the alleged harassers, and could result in a backlash against those who provided witness statements.
  
  
• Establishing criteria to assist in determining when personal information should be protected and when it is in the public interest to release such information would help eliminate inconsistency in interpreting "in the public interest".
  
  
• Protecting information gathered in police investigations for more than 20 years may be necessary under some circumstances, to protect victims and families of victims from additional injury (e.g., release of pictures of victims, etc.).
  
  
• Balancing protection of personal information and release of information for public safety reasons is important. For example, if a pilot has impaired night vision and is restricted to daytime flying this should be disclosable to an employer. Each instance where a balance has to be found between protection of personal information and public safety should be evaluated on its own merits.
  
  
• Some additional flexibility in the 30-day response time would assist departments in handling voluminous and complex requests that require the severing of large quantities of personal information from documents, including individuals' names, SIN numbers, addresses, telephone numbers, credit card numbers, etc.
  
  
• The issue of requests from law firms and insurance companies as part of pre-discovery processes for legal matters was raised. Some participants questioned whether this use of the access legislation was anticipated when the Act was passed.
  
  
• Clarification in legislation or in policy on the distinction between personal information and third party information in certain contexts would help departments determine whether to release information requested under the Act. In the case of small businesses that are sole proprietorships, it is sometimes difficult to distinguish between what is personal information and what is third party information because the individual is so closely linked with the business. For example, when the sole proprietor is working from a home office and communicates by e-mail with a contracting department, should the e-mail address be considered personal information or not? In other instances, information that could normally be considered corporate can in some contexts reveal personal information, such as complaints in a small industry where all the players are known to each other, enabling outsiders to glean personal information (identity) from the context of the complaint. Such situations create uncertainty as to what information can be released and what should be protected as personal information; this leads to inconsistency among government departments.
  
  
• The accessibility of information gathered in the contracting process is an issue when companies bidding on government contracts make access requests to discover information about the winning bid. The curriculum vitae and other personal information pertaining to individuals associated with the winning bid are withheld from disclosure, even though the deciding factors for awarding the contract may include the personal qualifications of these individuals. This is a source of frustration for the companies who lost the bid.
  
  
• While participants recognised the power of information and communications technologies to transform the way government interacts with citizens, issues around the use of technology should be addressed. For example, with the use of central servers as well as individual desk top computers for storage of personal information, there is a concern about individuals losing control over their personal information. E-mail was identified as an issue when it contains personal information that should be designated as "protected". It was pointed out that there is a general lack of awareness of information security standards, how they are applied and who is responsible for ensuring information security. E-mails are usually stored in a central server where there is an archiving function. If printed copies are not retained in traditional files, it is feared that e-mails may disappear in some offices because the responsibility for the custodianship of this information is either not identified or not communicated. Participants strongly encouraged that IT specialists receive training in the rules surrounding the safeguarding, use and disclosure of personal information, including data matching. Departmental employees need to be educated on the proper IM practices for all types of records, including electronic records. Some participants urged that back-up computer tapes be rigorously managed under retention and disposition schedules established in the departmental information management system.

Part 2: Main Themes Arising from Part 1

1. How to apply the "public interest" override (definition of "in the public interest")

A consensus emerged on the meaning of the term "public interest". Participants agreed that the "general good" of the public and "public safety" defines when information should be released or withheld. For example, disclosing information on communicable diseases or immigration information on convicted criminals, could easily be in the "public interest". On the other hand, releasing information that could be detrimental to victims or to the families of victims was noted as not being in the "public interest".

In situations where the Information Commissioner recommends disclosure of personal information "in the public interest", departments are required under the Privacy Act, to consult with the Privacy Commissioner. When the Commissioners have differing opinions on whether disclosure is appropriate the Department of Justice should be brought in to negotiate a resolution.
The Privacy Commissioner does not make a formal recommendation about the use of the "public interest" provision in the Privacy Act until the department declares its intention to disclose personal information. Some participants stated that while privacy investigators may give an informal opinion on public interest disclosure pursuant to the ATIA, they will not stand by it officially.

Amending the legislation to protect information for longer than 20 years could be beneficial, especially when the need to protect privacy outweighs the public interest in disclosure.

Participants felt that although "public interest" may be difficult to define, it would be beneficial if the factors to be taken into consideration were enunciated to help government departments make decisions on disclosure. A clearer understanding of "public interest" as well as examples of exceptions would assist institutions in determining whether to disclose or withhold information "in the public interest". It would also result in greater consistency across institutions in applying the public interest principle.

Some participants felt that it would be beneficial to have one Commissioner for both access and privacy, as do other jurisdictions in Canada and elsewhere. It was felt that the Information Commissioner should consult the Privacy Commissioner and vice versa on contentious cases.

2. When is personal information "public" and therefore available under the Access to Information Act?

Under sub-section 19.2 of the ATIA, personal information may be released if it is publicly available. There was a divergence of views on when information could be considered to be publicly available. For example, while publication in newspapers is not considered as readily publicly available by some institutions, it is considered so by others. Some participants pointed out that if personal information is in the press, it may not necessarily be true, and institutions should not have to confirm whether or not it is true by being required to disclose their documents. It was agreed that if the correct information is not in the press then it is not publicly available.

Because personal information may be partially disclosed in court documents that are publicly available, requesters may claim that the information ought to be accessible under the ATIA. Some participants felt that the onus should be on the requester to seek the information in the court records. Some participants reported that the Privacy Commissioner views personal information in court records as not readily publicly available because it requires a time-consuming and cumbersome search through the records of a particular court. Also, when dealing with police files, some participants felt there is a difference between "publicly available" and "available to the public". For example, police forces gather a variety of data which, theoretically, could be gathered by someone from public sources, but it would be time consuming and costly to do so. If they get access to police files the information would be all in one place and may provide more information than the individual is able to piece together. It could also alert people to the fact that an investigation is being conducted. There was a suggestion that if the information is publicly available individuals should be responsible for retrieving it from the public sources themselves.

3. How to please two Commissioners

There was a perception among participants that the offices of the Information and Privacy Commissioners should synchronize their work more closely. Some felt that privacy investigations have become more difficult to resolve.
Several participants observed that some requesters are filing ATI and Privacy requests at the same time for the same information. It was suggested that releasing as much information as possible under either one Act or the other, would reduce the tendency to file dual requests. Some participants said that they tend to respond to dual requests under the Privacy Act instead of the ATI Act. The effect of this is that personal and other information is withheld. Other participants questioned whether requesters are "short-changed" when information is disclosed under the Privacy Act, because the reasons for withholding any sensitive non-personal information would not be known to the requester due to the absence of the ATIA exemptions being marked on the released documents. However, the advantages of this approach to the ATIP Office include the avoidance of two requests, two complaints and having to deal with two Commissioners.

4. When should public servants' personal information be protected / accessible?

Job-related personal information on public servants is not protected, which means that names and opinions of government employees are not protected as personal information. Participants felt therefore that no guarantee can be given that employees' names and statements given during harassment or grievance investigations will be kept confidential and that this can potentially stifle investigations and have a negative impact on the internal management of departments.

Participants felt that the legislation should allow government departments to use discretion in determining when to protect or disclose the names of public servants. The factors to be used in applying this discretion would need to be defined.

The consensus view was that under certain circumstances, such as in the case of "whistle-blowers", public servants' names should be protected. Protecting the names of public servants would also, it was perceived, encourage full and frank discussions of issues and foster greater creativity and innovative suggestions for change. However, other participants noted that public servants are ultimately accountable to the citizens they serve and that names should be disclosed. For example, it was felt that it would be entirely appropriate to make public the names of government employees responsible for water safety.

Consultation