Review the Freedom of Information and Protection of Privacy Act — Issue No. 2

SPECIAL COMMITTEE TO REVIEW THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT

Present: Don McRae, MLA (Chair); Doug Routley, MLA (Deputy Chair); Kathy Corrigan, MLA; David Eby, MLA; Eric Foster, MLA; Sam Sullivan, MLA; Jackie Tegart, MLA; John Yap, MLA

2. The following witnesses appeared before the Committee and answered questions regarding the Freedom of Information and Protection of Privacy Act.

• Bette-Jo Hughes, Government Chief Information Officer and Associate Deputy Minister

• Sharon Plater, Acting Executive Director, Legislation, Privacy and Policy Branch

The following electronic version is for informational purposes only.
The printed version remains the official version.

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO
REVIEW THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT


CONTENTS
Page
Briefing: Freedom of Information and Protection of Privacy Act	3
B. Hughes
S. Plater

D. McRae (Chair): Welcome, all, to the second meeting of the Freedom of Information and Protection of Privacy special legislative committee.

Today we are joined by some key ministry staff for our second meeting. They’ll do some briefing from the ministry perspective of freedom of information. I’d like to ask the people to introduce themselves. They’re probably known to many of us from other worlds that we’ve been in, but for the people at home and the people on Hansard.

B. Hughes: Thank you, Mr. McRae. Bette-Jo Hughes. I’m an associate deputy minister with the Ministry of Technology, Innovation and Citizens’ Services and also the government chief information officer.

S. Plater: I’m Sharon Plater, executive director for privacy and legislation within the office of the chief information officer.

D. McRae (Chair): Perfect. My vision for today, if people would like to know it, is that the experts will give sort of a briefing, probably taking about 30 to 40 minutes perhaps. Then at the end we will have time for MLAs to ask some questions or raise some issues if they so desire.

I think everybody is also aware that we are going to have a brief meeting at lunchtime just to talk about the going-ahead format of this committee, as well, so there’s also another chance to ask at that time.

B. Hughes: We are delighted to be here today and appreciate what is an opportunity that quickly follows a presentation we made on the review of our sister legislation, the private sector privacy legislation.

We’re very pleased to support and embark on this review of the Freedom of Information and Protection of Privacy Act. We feel it’s a very valuable piece of legislation and is a hallmark and a cornerstone to our free and democratic society.

I’d like to send my sincere thanks to the special committee for taking on what I’m certain will be a fascinating and challenging task. Thank you again for inviting us here to make a presentation.

Our proposed approach today is that we’re going to provide an overview of the legislation. Then we will return in the fall with a presentation on issues, trends and recommendations on proposed amendments to the legislation.

As you know, FOIPPA is a complex piece of legislation supporting very important objectives, and we work hard every day in our ministry and with the rest of government to uphold those goals.

The Ministry of Technology, Innovation and Citizens’ Services provides a broad range of services and support to government ministries and the broader public sector. In addition to being a champion of innovation in our ministry and encouraging the development of new technology, the ministry is also responsible for the legislation and policies that assist ministries and the broader public sector to provide citizens with access to the information they need, both through access requests and proactive releases of information, and also to protect the personal information of citizens.

Making this legislation work for the citizens of B.C. requires a concerted and collaborative effort involving a number of parties. The privacy and legislation branch, which is headed up by my colleague Sharon Plater, is responsible for the corporate governance functions related to the act, including managing change to the legislation and developing related policies. In both of these endeavours we strive to achieve an appropriate balance between, on the one hand, providing seamless access to government services and information and, on the other, securing sensitive information and protecting people’s personal privacy.

Information access operations, or the IAO, as it’s known, is under the purview of my colleague the associate deputy minister, Sarf Ahmed. Unfortunately, he wasn’t able to join us here today. IAO is a centralized service that responds to access requests on behalf of ministries and other government entities, and it also provides records management support and guidance to government.

All public bodies are responsible for the day-to-day administration of the act by providing access to information and maintaining required privacy protections for the personal information that they hold about the citizens they serve.

Another function of our ministry, in my office in particular, is that we are the primary point of contact with the Office of the Information and Privacy Commissioner. As an independent officer of the Legislature, the commissioner has her own pivotal role to play by ensuring that the twofold purpose of the act is met and that privacy and access obligations are adhered to in a way that benefits us all. I know the commissioner’s office has also been invited to present to you, so I won’t elaborate further on her role here.

The efforts of all of these bodies together translate the legislation into a working network of access and privacy services for citizens.
[ Page 4 ]

Now I’m going to turn the floor over to Sharon, who will go through a high-level overview of the act.

S. Plater: As Bette-Jo has indicated, my presentation will provide an overview of the provisions of the Freedom of Information and Protection of Privacy Act. In addition, I will also provide you with a historical recap of some of the highlights and changes to legislation over the years and provide you with an update on what has occurred since 2010.

I have a lot of material to go through here, so I’m just going to power through it in the hopes that we’ll get a chance to have questions at the end.

Slide 3, if you’re following on slides — I don’t know if you are — is the background and purpose. FOIPPA was passed unanimously by the Legislature on May 22, 1992. There was staged implementation between 1992 and 1994. Ministries and Crowns were the first organizations brought in under the act, in 1993; local public bodies, such as police, health authorities and municipalities, were brought in, in 1994; and self-governing professions were brought under in 1995.

The reason for this gradual implementation was to allow the appropriate level of training to occur for each type of public body. Local governments and self-governing professions also needed to review bylaws and do more assessment of their policies and practices to bring themselves up to speed. Government itself had been working for some time on implementation strategies and so was able to go ahead at the earlier date.

There’s a twofold purpose under the legislation: to promote accountability by providing a right of access to records held by public bodies, providing individuals a right of access to their own personal information and the right to seek correction of this information and by specifying limited exceptions to the right of access.

To protect personal information is the other purpose, and that is managed by prohibiting unauthorized collection, use, disclosure and storage by public bodies. Accountability and protection of personal privacy is enhanced under FOIPPA — I’m going to use that term as it’s just been the traditional term — as the legislation provides for an independent review of decisions made under the act through the Office of the Information and Privacy Commissioner.

Slide 4, scope and coverage. British Columbia’s act provides the broadest coverage in Canada. At our last estimate there are 2,900 public bodies that are covered under the legislation. The bodies covered include all ministries, agencies, boards, commissions and most Crown corporations; local public bodies, such as municipalities and municipal police boards, such as in Victoria and Saanich — the RCMP are covered under the federal legislation — regional boards and hospitals; universities, colleges and school districts. Keep in mind that private career colleges are covered under, as Bette-Jo mentioned, the sister legislation, which is the Personal Information Protection Act.

Part of the reason for the large number of public bodies covered in B.C. is due to the fact that B.C. also covers self-governing professions, such as the College of Physicians and Surgeons and the college of nurses. These aren’t generally covered in other provinces. Keep in mind that this coverage does not cover the individual members of the governing professions, such as nurses, doctors and lawyers, unless they work for a public body such as a hospital. What it covers is the governing body and the activities that that governing body does on behalf of the professionals it regulates. Private practitioners are covered under the Personal Information Protection Act.

Slide 5, “Who is not covered?” Members of the Legislative Assembly are not covered by the legislation. A minister who has responsibilities for a portfolio for a particular ministry is covered for that portfolio but would not be covered for the activities that they perform in their constituency office.

The Supreme Court, the Provincial Court and the Court of Appeal are not covered; nor are records related to prosecutions, teaching or examination materials or materials in a public body archive that have been put there by private individuals.

With respect to offices of the Legislature such as the Auditor General or the Information and Privacy Commissioner, the operational records related to the work they do — so the cases that they handle — are outside the scope of the act. However, the records, such as their budget or their employee records, are covered by the legislation. In addition, all the privacy provisions in the legislation apply to those offices.

Next slide — structure of the act. As noted on the slide, there are six parts to the act. The first part, introductory provisions, we have already gone through. The remaining parts relate to freedom of information, otherwise called access; protection of privacy; the powers of the Office of the Information and Privacy Commissioner; reviews and complaints; and general provisions. I will address each of these parts in that order.

Slide 7 — access, trends and statistics. Before we discuss the access provisions, I would like to provide you with some recent statistics related to access. As the slide states, the government of B.C. itself receives 8,000 to 10,000 access requests per year.

This differs from other provinces that receive a much lower amount. For example, in 2013-2014 Newfoundland — I chose Newfoundland because it was statistics I had that I could be sure were valid, not because it was one of the smaller provinces — received 553 access requests. This number includes those received by health authorities, municipalities, Crowns, boards and commissions. The 8,000 to 10,000 requests that are stated on the slide relate just to ministries in B.C.

The B.C. government receives two to three times as
[ Page 5 ]
many requests per capita as Ontario. The Ministry of Children and Family Development receives the highest volume of personal access requests in government. These are individuals seeking information that involves major life events, such as adoption, child custody matters and our aboriginal claims.

Close to two million records were scanned in the last two years so that a review could take place prior to the release of the records to the applicants. As the files from this ministry are complex, they may contain sensitive personal information about a number of individuals that were involved in each particular case, and the review must be conducted very carefully to prevent any privacy breaches from occurring.

The on-time rate for the government to respond to requests has increased to 79 percent in 2014-1015, up from 74 percent in 2013-2014. The percentage of no responsive records fell from 25 percent in 2012-2013 to 17 percent in 2014-2015. Approximately 1 percent to 2 percent of all FOI requests that ministries handle lead to a request for a review before the Information and Privacy Commissioner. The number of general requests has increased more than twofold since 2008-2009, when government centralized its FOI services.

In 2014-2015, 99 percent of all complaints received by the Office of the Information and Privacy Commissioner were resolved without hearing or inquiry. Now, that particular statistic involves ministries as well as all of the other public bodies.

Seventy percent of the general requests received by government over the past two years were from political parties and media applicants. These requests can be complex and time-consuming to process, mostly because they’re often directed to multiple ministries. In these cases, ministries are required to use staff time to conduct a search for records, even if it’s unlikely that the ministry will possess such responsive records.

The ability of government to respond to personal requests, which are close to 6,000 over the past two fiscal years, is heavily impacted by the number and complexity of general requests it receives. Government recovers only a very limited portion of the costs associated with processing FOI requests. Unlike other jurisdictions in Canada, B.C. does not have an application fee for making an access request. Alberta, for example, charges an application fee of $25 for general requests.

In addition, B.C. is unable to charge fees for reviewing and severing information in accordance with the exceptions in the legislation, while Ontario is able to charge fees for the review of the records.

Finally, the number of requests where fees were paid by an applicant in B.C. — this is ministry data — has remained under 2 percent for the last three fiscal years.

Going to slide 8, “Right of access.” Individuals have a right of access to their own personal information and general information held by a public body. Applicants must submit a request in writing and provide sufficient description to allow an experienced employee to locate the requested records. They are not required to provide a reason for why they are requesting those records.

Public bodies must respond openly, accurately and completely and disclose the requested records, unless there’s an exception to disclosure. We will discuss these exceptions in a moment.

Public bodies must respond within 30 business days, unless a time extension is authorized under the legislation. These extensions can be taken if: the applicant has not provided sufficient detail to find the records; there are a large number of records that are requested and must be searched, and meeting the deadline would unreasonably interfere with the operations of the public body; additional time is required to consult with a third party. For example, there could be records from multiple ministries in there, or there could be records from the federal government in there and they want to consult with these bodies before they release them. Finally, the applicant has consented to the extension.

In its response to an applicant, a public body must tell the applicant the reasons that any information has been withheld and the section under the act that authorizes this action. In addition, contact information must be provided, and the applicant must be informed that they have a right to request a review before the Information and Privacy Commissioner.

In terms of requests for general or non-personal information, public bodies may charge fees for searching for the records, for preparing the records and for shipping. They cannot charge fees for reviewing and severing information, as I mentioned earlier.

Fees cannot be charged when a person requests access to their own personal information. A public body can waive a fee they have charged if the individual is unable to pay it, if it’s in the public interest or for any other reason that’s fair and reasonable to do so.

Moving on to slide 9. Under access, I want to talk about records first. It’s an important point to keep in mind that the act relates to records. You’ll find a definition of this term in schedule 1. It states that a record includes “books, documents, maps, drawings, photographs, letters, vouchers, papers and any other thing on which information is recorded or stored by graphic, electronic, mechanical or other means, but does not include a computer program or any other mechanism that produces records.” As you can see, this definition is very broad and includes every form of recorded record, from a little sticky note to a large database.

When an access request is received, the public body needs to do a number of assessments related to what has been requested. One of these will be to determine whether the request is for records or information. If an applicant is seeking records, then it would be an access
[ Page 6 ]
request under FOIPPA. If the applicant is seeking information, the public body would address the request through means other than FOIPPA.

Let me give you an example to clarify the point. If an applicant asked for copies of records relating to the types of road surfaces that are best suited for farms, the ministry would process this as an access request for which they may or may not have records.

If, on the other hand, the applicant asks a series of questions such as, “Should I put drainage ditches on both sides of my farm road? Should I use porous surface covering for my farm roads? If so, what is the best material to use?” A public body may treat this request as a request for information, and they would respond to it outside FOIPPA. In this instance, they could make a phone call, send an e-mail or provide a brochure that they might have available to the public.

Another important concept under access is the concept of custody and control. The act applies to recorded information in the custody and control of a public body.

These two words, “custody and control,” are important. A public body might have control of a document — for example, a case management report related to a client or a budget forecast document that they have generated and is in their files.

In other instances, the public body may have a contractor, which I’ll alternatively refer to as a service provider, that manages their financial processes. In that case, the budget forecast document may be in the custody of a contractor in their case files but would still be in control of the public body, as the contracted company provides the service on behalf of the public body. The definition of “employee” in schedule 1 of the act includes a service provider.

A public body might also have records that are neither in their custody or control. For example, an employee may belong to a private community association and keep some of those records at work.

There are numerous orders by the Information and Privacy Commissioner that have looked at the linkage of such records to the work of the public body. But basically, if the records have nothing to do with the public body and are of a purely personal nature of the employee, they would not be considered to be under the control or custody of the public body.

Slide 10 — exceptions to access. There are two types of exceptions under the legislation. There are mandatory exceptions, which means if the information in a record meets the criteria for this exception, it must be withheld. There are no options.

The other exceptions are discretionary, which means that public bodies can use their judgment to withhold or disclose the information that meets the criteria for these exceptions.

There are four mandatory exceptions. One relates to personal information. Another is for business information that could harm the business interests of a third party. A third relates to cabinet confidences, and the fourth has to do with abortion services information.

Discretionary exemptions relate to — and there are more discretionary exemptions — cabinet and local government confidences; legal advice, which covers solicitor-client privilege and litigation privileges, where you’re dealing with communications between lawyers and their clients and also documents that have been prepared for actual or contemplated litigation; harm to law enforcement, which covers prosecutions as well as actual law enforcement activities; harm to intergovernmental relations, which arises when you have records involving different levels of governments. You could have records between the province and the federal government, between the province and municipalities or the province and aboriginal organizations. This exception is intended to protect the dialogue between those bodies.

There can be harm to economic interests of a public body. This could involve negotiations that are ongoing for a public body, or it could be about personnel relations, or it may reveal a trade secret. There’s harm to conservation of heritage sites and harm to individual or public safety, where release of the information may put a person at risk. The exception for this has a very high threshold for withholding the information, and so it’s not used very often at all. The last one is information that will be published or released within 60 days.

Slide 11 — privacy protections. The privacy provisions in the act are set out in part 3. Apart from what is commonly referred to as the Patriot Act provisions, the requirements in FOIPPA are consistent with privacy legislation worldwide.

Personal information is defined as recorded information about an identifiable individual other than contact information. Contact information is information that enables an individual to be contacted at a place of business. It includes their name, their business address, phone, fax and e-mail. That’s not considered personal information.

There are a number of principles under the privacy provisions in the act. The first one is collection. Personal information must be collected directly from the individual unless the act specifies otherwise. The act also specifies a limited number of situations where personal information can be collected at all.

For example — and I haven’t listed them all here — the public body has a statutory authority through another piece of legislation to collect the information. It is being collected for law enforcement. The information is directly related to and necessary for an operating program of the public body, or the information is necessary to reduce the risk that an individual will be a victim of domestic violence if the violence is likely to occur.

The act also requires that notification be provided to individuals from whom information is being collected.
[ Page 7 ]
This notification must set out the reason and legal authority for the collection as well as provide the contact information for an appropriate representative of the public body, someone who can answer questions about the collection.

The next principle is use. Use of personal information is limited, under the legislation, to the following situations: for the purpose for which information was collected, obtained or compiled or for a consistent process, something that’s very similar; if the individual has consented to the use; for a purpose for which the information was disclosed to the public body under the disclosure, research or archival provisions in the legislation.

The third privacy provision is disclosure. The legislation contains a complicated set — I say that because it used to be very simple in earlier days — of authorizations for disclosure, both inside and outside of Canada. Basically, the rule is that a public body cannot disclose personal information unless there is a provision in the act that permits it. A couple of examples of the types of information that can be disclosed outside Canada are to notify next of kin if an individual is injured, ill or deceased or for debt collection if the individual’s assets are located in another country.

The fourth provision under privacy is storage and access. Public bodies are not able to store personal information outside of Canada, except in very limited circumstances. Nor are they able to have personal information accessed from outside of Canada — again, except in limited circumstances.

For example, if a public body uses an American-based technology services company and one of their systems breaks down, they would be able to give temporary access to that company in order to fix the problem, but they couldn’t have the company being privy to an open portal so they could be going in and out on an ongoing basis, monitoring the system. Once the problem is fixed, the access has to be discontinued. Then the next time there’s a problem, it can be opened again to fix that problem. It’s very temporary.

The fifth principle is accuracy. Public bodies must ensure that the information they have about an individual is accurate. If information is inaccurate or incomplete, it can have devastating impacts for an individual.

The next provision is security. Public bodies must take reasonable steps to protect the personal information that they hold against unauthorized collection, use or disclosure. It means that they have to have very strong protocols in place. Those protocols will differ, depending on the sensitivity of the personal information that’s involved.

Retention is another provision. The act requires that if personal information is used to make a decision about an individual, it must be kept for at least one year.

Correction. The act provides for a right for a person to make a request to have their personal information corrected. But just because the person makes the request doesn’t necessarily mean that it’s going to get corrected. If a request is made for a factual correction…. If you say you want to change your birthdate and you provide them with a new birth certificate or official documentation to prove that the birthdate they have is wrong and the new one is correct, then they’re likely to change that.

But if an individual comes along and they don’t like an opinion in a document — maybe the opinion is from a doctor — and they want it changed, the public body may not make that correction. What they’re required to do is to annotate the document, which means they’re likely to amend it by attaching — this gets tricky in electronic systems — the request for the correction and, if the individual has provided their view of the opinion, attaching that as well. So anybody that comes along later can see both sides of what the story about the individual is.

Slide 12. We’re going to run along to the history of significant changes under the act. The first one is since 2003. On the whole, the first amendments to the act completed in 2002 and 2003 were focused on addressing unintended consequences or confusing wording arising from the original drafting of the act.

For example, there were sections that looked like they made sense when they were being written, but once the public bodies tried to apply them, it was clear that they didn’t, and they needed to be clarified. In some places it could be as little as a comma was misplaced. Those sorts of things needed to be cleared up.

The key amendments during that time were the establishment of a personal information directory. It was the first of its kind in Canada — and I think it might still be — and provides listings of privacy impact assessments, information-sharing agreements and personal information banks that are held by public bodies. It is now published through DataBC and is one of the most popular databases that they have.

Privacy impact assessments were made mandatory for new legislation, systems, projects or programs developed by ministries. Most jurisdictions do not have this as a legislative requirement.

It provided the Information and Privacy Commissioner with the authority to choose not to hold an inquiry if it wasn’t warranted or it wasn’t appropriate in a given case. It provided the commissioner with the ability to deem a request as being frivolous or vexatious. It required a review of the legislation to be conducted every six years by a special committee of the Legislature, such as we’re engaged in here.

It clarified the definition of “day” as meaning “working days,” not “calendar days.” This has always been a very contentious amendment, as it gave public bodies a longer time to respond to access requests. The original reason — and I was there — it was brought in is that there are months of the year, like for Easter or Christmas, where you have a lot of holidays.
[ Page 8 ]

What was happening is it was impossible for public bodies to meet their deadlines. So it was thought, “Well, rather than having them over the deadline, let’s make it a little bit longer, and then they will be able to do that in those months where there’s a lot of vacation time.”

The last amendment also assured that privacy protections were extended to personal information held by contractors of public bodies.

Slide 13 — this is since 2004. We saw during 2004 a lot of issues related to the U.S.A. Patriot Act. Many of the amendments that flowed forward in 2004 were based on addressing what were considered to be concerns about other countries, not just the U.S.A., coming in and being able to access individuals’ personal information without them knowing about it.

It restricted disclosure outside of Canada. It restricted storage outside of Canada. It restricted the ability to access information from outside of Canada. It required mandatory reporting of any unauthorized access for personal information. If, say, a police agency in a state decides they want to come up here and they want some information about an individual’s personal life — maybe from the Ministry of Social Development and Social Innovation — that kind of request needs to be reported to the minister responsible for the act.

It created fines and penalties if these disclosures were not reported or if such disclosures were made. And there were whistle-blowing provisions put in so that employees who did report unauthorized disclosure could not be discriminated against because of that action.

Slide 14 — since 2006. In later 2005 and 2006 there are amendments brought in to counter some of the challenges faced as a result of the 2004 amendments. For example, it became evident that there were some things that couldn’t be done without information going outside of Canada — for example, credit card payments. In those days all of the credit card processing facilities were in the United States. If you had liquor stores or you had health authorities that were accepting payment by credit card, they all of a sudden couldn’t do this.

It permitted access to personal information outside of Canada in cases where it was necessary to install or to do troubleshooting or repair on a computer system. It permitted an officer or employee of a public body to access their personal information electronically if they were out of the province on business. If they were in the U.S. on business, they could then go in and get that information if it was necessary for them to perform their duties.

It increased transparency of personal information in health information banks, which are created under the Health Act, by requiring that summaries of these be posted in the on-line public directory that I spoke about a few minutes ago. Disclosure provisions were added to complement earlier collection provisions for common or integrated programs.

Slide 15 — since 2008. In 2008 there were changes which largely reflected the recommendations in the special committee report in 2004. A number of changes were made at this time around the commissioner’s powers. It permitted the commissioner to send complainants back to a public body to try and resolve their issues at that point, before the commissioner opened a file.

It also allowed the commissioner to order a public body to conduct a review and severing process, as required by the legislation. I think this arose because some public bodies were just saying, “No, we’re not releasing it,” and sending the whole file into the commissioner’s office, and the commissioner was having to do the severing. That gave the commissioner’s office the authority to send it back to the public body. It also allowed the commissioner’s orders to be treated the same as orders that were made by the Supreme Court.

Slide 16. Since 2011 the amendments tightened up the common or integrated program or activity provision in the legislation by creating a definition for common or integrated programs and establishing criteria for such programs through regulation. It supported citizen-centric and collaborative services by enabling citizens to consent to the collection of their personal information for specified purposes that benefit them. It supported the delivery of common or integrated services that involve more than one public body or agency.

It facilitated the use of new communication technology, such as social media, to engage with citizens, while ensuring that privacy is enhanced and maintained. It enabled the delivery of convenient and trusted on-line services by establishing the foundation for the provincial identity information management service.

It enhanced privacy protections by strengthening and expanding the requirements to conduct privacy impact assessments and providing new oversight to the Information and Privacy Commissioner with respect to mandatory reviews by that office of privacy impact assessments for data-linking and common or integrated programs or activities.

In addition, a number of recommendations from the 2004 and 2010 special committee were addressed at that time.

My last slide relates to the 2010 special committee review, which I understand you’re particularly interested in. What I’m going to do is go through the recommendations and what we have done with them. You have a chart before you that gives a list of the recommendations as well as the status. I’m going to go through the recommendations as we have them characterized on the slide.

There are 16 addressed through the 2011 legislative amendments, one through a 2012 regulation amendment and six addressed through policy. Seven were reviewed and no amendments deemed necessary. One has been drafted and is ready for the next legislative opportunity, and four remain under consideration.
[ Page 9 ]

With respect to those that were addressed through legislation, the following have been implemented fully.

Recommendation 6, which related to replacing “employees” with “faculty members and teaching support” of a post-secondary educational body, has been done.

Recommendation 9, which said to amend section 9(2) regarding public bodies providing e-copies of records of applicants, has been done.

Recommendation 15, amend section 20(3), the release of records if 90 days have elapsed since the request and refuse access published according to a statutory schedule. Sorry, that’s very brief. Number 15 has been done.

Recommendation 17, amend section 22(3)(h) regarding disclosure revealing substance of personal recommendation, evaluation, character reference or personal information. Evaluation has been done.

Recommendation 18 — to amend section 22(4)(i) by adding “degree, diploma or certificate” granted to the third party from a public body — has been done.

Recommendation 20 — allowing individuals to consent to the collection, use and disclosure of personal information by a public body — has been done.

Recommendation 26, reflecting the collection of personal information under PIPA, making it consistent under FOIPPA — that has been done.

Amend section 59(2) and add a new section, 59(3), inhibiting abuse of the judicial review process. That has been done.

Amending section 66 around delegation authorities applying to local government bodies has been completed.

The ones I’m going to talk about now have been done but not fully. So they’ve been done in part, by amendments.

Recommendation 5 related to the custody of service provider records. This provision has been amended, and a new provision has been incorporated into the act, which places records created by a service provider that do not relate to services it provides — so its employees or its budgets, etc. — outside the scope of the act. So they’re not covered under the act. By extension, it follows that the records that do relate to what the service provider does under the contract for a public body are under the custody of the legislation. This works in tandem with the act’s definition of “employee,” which covers a service provider.

Recommendation 7, which relates to schemes approved by the Information and Privacy Commissioner for the routine proactive disclosure and that they be operational within a reasonable time period. This recommendation has been implemented. However, the approval rests with the minister and not with the commissioner. The commissioner was consulted on the amendment prior to it being introduced.

Recommendation 11. This relates to the right of access to original records, if reasonable. The recommendation asks that section 5 and section 9 be amended. This recommendation has been done under section 9 of the act because that was deemed the most appropriate section to place the provision, as the section relates directly to how to the access will be given.

Recommendation 16 talked about amending the act so that the personal information of those who were deceased over 20 years is a relevant consideration in determining if disclosure is unreasonable. This has been addressed through an amendment, as well, that requires that death can be a determining factor when considering release of personal information in response to an access request, along with the length of time the person has been deceased.

While the new provision contemplates the notion that privacy rights may diminish over time, it refrained from placing the specific 20-year mark on it, because it was felt that that was arbitrary. But the principle has been put into legislation.

Recommendation 21. This was asking to include language confirming a broader approach to research. This has been implemented, with the exception of the de-identified data portion of it, which is still being considered. So half of that recommendation has been implemented.

Recommendation 25 asks that a requirement be added for privacy impact assessments to be conducted on conceptual, design and implement phases for both ministries as well as health authorities. It has been implemented in part. It is mandatory for ministries to complete a privacy impact assessment on all systems projects, programs or activities and must submit these privacy impact assessments — I might use PIAs as an abbreviation just to not keep saying the full term — to the Minister of Technology, Innovation and Citizens’ Services in accordance with directions that are issued by that minister.

These directions set out a variety of templates and types of privacy impact assessments that can be used alone or in conjunction with each other. One of these is a conceptual PIA.

Public bodies must also provide privacy impact assessments on common or integrated programs or activities and on data-linking initiatives to the commissioner for review and comment. The requirement to do conceptual, design and implementation privacy impact assessments for all projects was not included in the legislation, as not all projects require all three of these privacy impact assessments.

It was felt it wouldn’t be practical to put in a legislative requirement that was not necessary or of value. If the project is a simple one, it might be one small PIA that is necessary to understand the full privacy impacts of that amendment. Very complex ones, though, would go through a stage privacy impact assessment process, and they may very well use all three. It was felt that it was better to deal with it through policy and the directions of the minister.
[ Page 10 ]

The topic is also covered in training sessions that the government’s chief information officer provides to public bodies. There are templates for all these types of privacy impact assessments on the government chief information officer’s website.

It also does not cover health authorities at this point, because the broader public sector is very large, and we had a little concern over covering just one component of it. We’re still researching that to look at how that can be done without targeting just one and not the others as well.

Recommendation 34, which said make personal information available free of charge or without an access request, has been done. Amendment was made to the legislation enabling the minister to issue directions on this category of information. We’re in the midst of developing a data and access assessment, which will encourage ministries to think about how personal information can be quickly exported out of new systems or new programs that are being developed.

Consultation with ministries to design a standardized approach has been conducted, and our ministry is currently exploring options for implementation and potential additional consultation if required.

Government will be proactively releasing purchase card data for all ministries as open data at the end of January, which establishes a new category. And government is engaging business and industry to help determine high-value data.

That’s the end of the ones that have been implemented. We did do one through regulation. There was a request that government review the schedule of maximum fees. This has been done. The fees — No. 35 — were updated and modernized in an amendment to the regulation.

There are a number of recommendations that were done fully or partly through policy. The first one is No. 1. This asked to have a section added to say that information technology plays an important role in achieving the dual purposes of the act. This was primarily addressed in policy but also addressed, in part, by the 2011 amendment package regarding the open information platform and, in part, by the requirement to do privacy impact assessments.

It is not a preferred action to put these kinds of statements in legislation for the simple reason that they are a purpose statement and they don’t actually require government or public bodies to do anything. But they can be interpreted or read by the courts in a judicial review to mean something that isn’t stated and isn’t intended, so there can be a real problem with those types of statements in legislation.

Number 2 was the second recommendation that was dealt with through policy. This related to, again, a statement that privacy infringement must be proportional to the public interest that is achieved. The new PIAs contain risk mitigation strategies, so we’ve just completely redeveloped a template.

They require ministries to identify and consider risks to privacy, to provide assessments of the likelihood of impact of these risks and to provide an appropriate mitigation measure, if they elect to move forward with that risk. As noted above, the general statements also, as I said, aren’t a preferred thing to include in legislation.

Recommendation 8. It was routine release of information listed in the paragraphs that are included under section 13. Government chose to approach this recommendation through a change to the Freedom of Information and Protection of Privacy Act policy and procedures manual. It’s available to all public bodies on the government chief information officer’s website. The essence of the recommendation is also incorporated into the training that’s offered by the government’s chief information officer.

The reason it was addressed through policy and training rather than legislation is to make sure that public bodies understand that once records meet the criteria for release under section 13, it is still necessary to review those records to determine if they need other exceptions, particularly the mandatory exceptions that relate to personal information. It’s difficult to clearly articulate such distinctions in legislation, and government did not want to make a change that had the potential to give rise to privacy breaches.

Recommendation 10 related to applicant anonymity. Government chose to address this issue through policy and training, as the goal could be accomplished more directly and completely this way. The issue that arises for the anonymity…. There are times when the identity of a requestor needs to be known, such as when they’re asking for their own information. That has to be passed on to the people searching for their records. The nuances of those instances are difficult to address clearly in legislation.

In response to the commissioner’s first annual report on timeliness of government access requests, which was done in February 2009, the government said that it “will undertake efforts to ensure anonymity is protected to the greatest extent possible.” This has been accomplished. Government currently addresses this by removing applicant names on FOI requests before requests for records are distributed.

Recommendation 27 re: protocols for sharing health information with immediate family members. This is to be addressed through policy development and training and information-sharing guidelines. The Office of the Information and Privacy Commissioner does have guidelines on this issue on its website.

Recommendation 29. This is around amending the Information and Privacy Commissioner’s power to require submissions of statistical information via the processing of FOI requests. Government provides statistics on ministers’ requests to the Information and Privacy Commissioner upon request, and the commissioner has agreed to this arrangement.
[ Page 11 ]

There were seven recommendations where no amendment was deemed necessary. The first one related — it was recommendation No. 3 — to BCSPCA. In 2005 the committee’s concern was about the BCSPCA’s dual status, and this was investigated. It wasn’t clear at the time whether the BCSPCA, because they’re a society, could be covered under the act. They do have one small part of their operations that is covered under the Prevention of Cruelty to Animals Act.

That act was amended in Bill 24, 2012. That provided the minister with the power to order the BCSPCA to report on any relevant matters and to make such reports public. It also requires the BCSPCA to comply with such orders. The act was also amended to provide for notice of owners of proposed decisions about their animals and established review and appeal processes. These amendments addressed the advocacy groups’ concerns about the lack of accountability in the reporting requirements.

Recommendation 12, which related to reducing transfer times to ten days. The time frame was originally ten days in the legislation, and the 1999 special committee recommended that it be moved to 20 days to give government bodies more time to deal with the transfer. We left it at the 20 days, rather than switching it back to ten. Government’s policy and procedures manual on FOI encourages public bodies to deal with these transfers as quickly as possible.

Recommendation 13, making section 14, which relates to legal records or solicitor-client records, a mandatory exception. This was considered but not implemented, as the commissioner did not support this recommendation.

Amendment, section 14, decisions on privileged status of material — that these must be referred to the Supreme Court of Canada — was considered but not implemented, because the commissioner did not agree with this recommendation.

Recommendation 19, which related to the Supreme Court of Canada’s decision, Grant v. Torstar. The decision was reviewed, and no amendment was deemed necessary.

Recommendation 23, appointment of a government chief information officer. It has been determined by government that there is no need to appoint a government chief information officer, as the duties of such a provision already fall under the mandate of the government chief information officer. The authority of the government chief information officer, with respect to privacy, is documented in chapter 12 of the government’s core policy and procedures manual.

Recommendation 28, which was permitting a health care body to disclose de-identified personal health information without consent for research purposes. There’s a concern that this amendment could result in the inappropriate disclosure of personal information. There’s a wide range of de-identification techniques available, and all of them protect the information from being re-identified using other public or non-public databases.

Again, we were leery of creating the potential for privacy breaches with that recommendation.

We have one recommendation drafted and ready to go. That is recommendation 30, which is combining the complaint processes and the review and inquiry process with the Information and Privacy Commissioner. These changes are in-depth and lengthy. They have been formally drafted and are ready to go when there’s an opportunity.

Recommendation 4, expand the definition of “public body” to include any corporation that is created or owned by a public body. Early consultation with public bodies regarding this recommendation revealed that there are a broad range of entities with complex structures that are created or owned by public bodies.

The government has been continuing to investigate various types of entities and the implications of covering them under the act, so that any change that is made to the legislation will be effective and will not have unintended consequences.

Recommendation 22, considering public consultations on data-sharing initiatives. The government respects the spirit and intent of this recommendation and has implemented it in complex initiatives such as the B.C. Services Card.

Recommendation 24, mandatory ethics review by an arms-length stewardship committee for all data-sharing projects for the purpose of research. This is under consideration.

Government recognizes that having a proper review process in place for research is important, as it protects personal information that may be involved. It also recognizes that research is being conducted by students who are academics at a university or by those who have applied for a research grant. Those people have already gone through an ethics review.

The government is looking at creating a review process through policy that can be flexible to recognize appropriate ethics reviews conducted through other entities and can be customized to reflect the nature of the research. For example, a very small research study that is limited and doesn’t have a lot of sensitive personal information on it may not require the same level of review as one that’s complex, that deals with highly sensitive information.

The last one was recommendation 61, to extend the Information and Privacy Commissioner’s 90-day time limit to review access requests. It’s under consideration. We expect to put it forward at the next opportunity in the Legislature. We wanted to make sure that the time extensions were carefully considered to make sure that it didn’t have any negative repercussions for citizens.

D. McRae (Chair): Excuse me, if I may. When you said recommendation 61, was that meant to be 31?
[ Page 12 ]

Well, that was more information on this topic than I’ve ever heard in my entire life. But then I’ve not been on this committee before. Others have. Thank you very much.

I know we were planning to leave at 9:30, but if the committee members are open to it, could we extend it for five more minutes to 9:35? Then if necessary we’ll have to invite people back for the questions and answers at that stage. If that’s okay, I’d like to open the floor to questions from the committee.

D. Routley (Deputy Chair): I have two questions I’d like to address now and then three things I’d like to just put on the table for when you return perhaps.

The first question would be…. The numbers of requests are higher in B.C. You said twice to three times Ontario. We have public insurance here — ICBC. I’m wondering what proportion of the requests are related to the public insurer. Government bodies are covered here, whereas they aren’t in other jurisdictions perhaps — and the number of Crown corporations we have. How much would that explain the higher number of requests?

The second question would be on the 30-day issue. It’s the contentious one that has extended all requests. Was there consideration given to changing to working days but reducing to 25 so that the working day allowance of a normal request would not change but then would accommodate holidays in the holiday season and would extend the calendar day as required by holidays? If there was any consideration given to that.

Then the three things I’d like to, perhaps, put on the table for the return engagement would be…. Tokenization — what kind of work the ministry has done to review tokenization.

The issue of subordinate corporations of public bodies, which was also a contentious issue. When Minister Bond was the minister of this file, she agreed that that should happen. It hasn’t, and I wonder what the ministry’s position on it is.

Finally, you referred several times to the difference between addressing problems with training and policy or regulation changes rather than legislative changes, and I’d like to know where the demarcation zone is for how you make that decision.

Mr. Flaherty, when he was acting commissioner, addressed the previous committee and was very specific in his recommendation to make changes more descriptive and prescriptive through regulation or legislation, noting that so many of the problems different ministries brought forward could be addressed by better training because the provisions were already in the act. He was really clear that principle change versus prescriptive change…. I just wonder how the demarcation of that is. A perfect example would be the health records to relatives, particularly around hereditary issues and adoption.

S. Plater: With respect to the numbers, ICBC does get a very large volume of access requests. We don’t know the numbers of those, because government doesn’t collect them. I used to process ICBC files, so I’m really aware of that. I think what happens…. And we will get those for you.

I think the big difference in B.C. is that we have a much more active privacy world here in B.C. and an access world because we have the advocacy groups — the B.C. Civil Liberties Association and the Freedom of Information and Privacy Association. Other provinces don’t have that. Those associations keep issues alive in B.C. There’s also a lot of debate about those issues in B.C. It’s part of our climate.

When you have issues arise at the federal government or key issues in other provinces, it’s the B.C. organizations that go out and present to those committees. I think that is somewhat of a factor in it. But we can also look at this information and get that back to you.

B. Hughes: As a point of clarification, the numbers that we were talking about were the numbers that are processed through our ministry and the information access operations. Requests to ICBC would go to ICBC. Requests to B.C. Hydro would go to B.C. Hydro. But we can give you detailed statistics on who’s getting those access requests for sure.

S. Plater: Then your other one, the 30-day issue. I’m unaware that it was looked at, at that point, to reduce it to 25 days, to make all access requests during that time and not extend the timeline beyond 30 days. I don’t recall that being looked at, but that doesn’t mean to say that it wasn’t thrown into the discussion at some point.

I think it was felt that 30 days was pretty standard across the country and that by the time you locate records, get them back, get a chance to review them and then have them go up through sign-off and the letters are written and everything goes out, the 30 calendar days was pretty tight as it was. I think that’s why it….

B. Hughes: I know you’ve asked us to return on the tokenization item, but if I could…. We have done some
[ Page 13 ]
work on that item, and there is a letter on the Office of the Information and Privacy Commissioner’s site that talks about the work that we have done on tokenization of information.

D. McRae (Chair): I’m going to give the last question to MLA Yap, and then I’ll canvass the committee members to find out if we wish to prolong this Q-and-A session. Then we’ll have to find another time to schedule it. But the last question goes to you.

Thank you for your presentation. In the world of FOIPPA, there must be accepted and recognized best practices. We’ve discussed a little bit about comparisons to other jurisdictions. I wonder if, at a high level, you can comment on how B.C. is doing in that sense. And perhaps as a takeaway, if there are accepted best practices, if you could come back at the next opportunity to give us a bit of an overview of how we’re doing here in B.C. in terms of best practices in FOIPPA.

B.C. chairs the national privacy and access committee, and we hear a lot from them that we are way ahead of the other provinces in how we approach access and privacy.

As I mentioned earlier, we had just completed new privacy impact assessment templates, and the two departments of the federal government and another international jurisdiction have asked if they can use those and just credit B.C. with having developed them.

There are a lot of things like the database, the information-sharing agreements, etc., as well as having requirements for privacy impact assessment in legislation, which you don’t see in any other Canadian jurisdiction. We’re usually seen as being ahead of the pack in the kinds of things we’ve developed.

I can also echo…. I have a staff member right now in Australia, and she finds it very helpful to take the kinds of things that we’ve developed down there to incorporate into their practices as well.

B. Hughes: I would just add that, again, British Columbia is recognized as having one of the strongest freedom-of-information and protection-of-privacy legislations in the country. The work that we do with the commissioner’s office allows us to share that information of best practices around the world, frankly. But we will certainly bring back some more specific research on that for you when we return.

Knowing that we also will be scheduled to come back for another conversation at a later date…. To the members of the committee with regards to questions and answers from today, do we wish to invite the ministry back for further Q and A in the near future rather than scheduling it for the fall?

D. Routley (Deputy Chair): Another possibility might be that we could submit questions for the return. We may have trouble bringing everybody together again.

D. McRae (Chair): I agree. I’m just starting to canvass the members. If that’s okay, if everybody is comfortable with submitting questions in writing, then that would help your next briefing presentation later on in the fall.

With that, I guess we get to move adjournment of the committee today. Thank you very much.

Hansard Services publishes transcripts both in print and on the Internet.
Chamber debates are broadcast on television and webcast on the Internet.
Question Period podcasts are available on the Internet.

Chair:	Don McRae (Comox Valley BC Liberal)
Deputy Chair:	Doug Routley (Nanaimo–North Cowichan NDP)
Members:	Kathy Corrigan (Burnaby–Deer Lake NDP)
	David Eby (Vancouver–Point Grey NDP)
	Eric Foster (Vernon-Monashee BC Liberal)
	Sam Sullivan (Vancouver–False Creek BC Liberal)
	Jackie Tegart (Fraser-Nicola BC Liberal)
	John Yap (Richmond-Steveston BC Liberal)
Clerk:	Susan Sourial

REPORT OF PROCEEDINGS (Hansard)

SPECIAL COMMITTEE TO REVIEW THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO
REVIEW THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT