The committee met at 12:02 p.m.

[R. Glumac in the chair.]

R. Glumac (Chair): Good afternoon, everyone. My name is Rick Glumac. I’m the MLA for Port Moody–​Coquitlam and the Chair of the Special Committee to Review the Freedom of Information and Protection of Privacy Act.

I would like to acknowledge that I’m joining you today from the traditional territory of the Coast Salish peoples.

I welcome all those who are listening to today’s meeting.

Our committee is tasked with reviewing the Freedom of Information and Protection of Privacy Act. We’re, in fact, currently accepting registration for presentations to the committee. Registration remains open until 3 p.m. this Monday, February 7. There will be additional opportunities to share input later in February. If anyone is interested in learning more information about the consultation process, you can go to the committee’s website, which is at www.leg.bc.ca/cmt/foi.

The purpose of today’s meeting is to receive briefings from both the Ministry of Citizens’ Services and the Office of the Information and Privacy Commissioner. Each briefing will last for about 20 to 25 minutes, and then we’ll have time for questions at the end from committee members.

Before we get started, we’ll just do a quick round of introductions by the committee members.

J. Rustad (Deputy Chair): Hi. I’m John Rustad. I’m the MLA for Nechako Lakes and the Deputy Chair for the committee.

J. Routledge: Hi. My name is Janet Routledge. I’m the MLA for Burnaby North.

I’m joining you from the traditional, unceded territories of the Coast Salish people.

H. Yao: Henry Yao, MLA for Richmond South Centre.

I’m joining everybody from the unceded, traditional territory of the Musqueam, Kwantlen and Tsawwassen Coast Salish people. I thank them for allowing us to live, work and play on their ancestral land.

A. Olsen: Good afternoon. I’m Adam Olsen, MLA for Saanich North and the Islands.

I’m working today in my village of W̱JOȽEȽP in the W̱SÁNEĆ territory.

R. Glumac (Chair): Thank you.

A quick round of introductions from the Ministry of Citizens’ Services, if you don’t mind.

S. Chant: Did you want me to say anything?

[12:05 p.m.]

R. Glumac (Chair): Oh, Susie. I’m sorry.

S. Chant: I am Susie Chant. I am the MLA for North Vancouver–Seymour.

I am speaking to you from the unceded territories of the Coast Salish — to be specific, of the Squamish and the Tsleil-Waututh.

R. Glumac (Chair): Excellent.

Our first briefing is with the Ministry of Citizens’ Services. I will hand it over to you for introductions and to begin the briefing.

Briefings on
Freedom of Information and
Protection of Privacy Act

MINISTRY OF CITIZENS’ SERVICES

S. Brouwer: Certainly. Thank you for the invitation today.

I’m Shauna Brouwer. I’m the Deputy Minister of Citizens’ Services.

I’m joining you from my home in Maple Bay, which is in the traditional territories of the Cowichan Tribes, often known as the Warm Land here.

With me today is CJ Ritchie, the associate deputy minister. She’ll be doing some opening remarks for us. Matt Reed is our acting assistant deputy minister of the CIRMO branch, and he’ll be doing the presentation.

With that, I will turn it over to CJ. I thank you for having us here today.

C. Ritchie: Good afternoon. Thank you to the committee for having us here today.

I’d like to acknowledge that I’m joining you from the traditional territories of the Lək̓ʷəŋin̓əŋ-speaking people, known today as the Songhees and Esquimalt First Nations.

We’re here at your request. We’re here to provide you with an overview of the Freedom of Information and Protection of Privacy Act, otherwise known as FOIPPA.

Normally, we would provide just a high-level overview of the act itself, but today we’re going to focus, as well, on the recent amendments made to FOIPPA. You’ve also asked us to comment on the status of previous recommendations made by this committee. We’re happy to do both those things and take any questions the committee may have.

I’ll just provide a little bit of context here. As you know, FOIPPA is a very important piece of legislation. It keeps government accountable to the public and protects the privacy of British Columbians. And given the importance of FOIPPA, government is always listening to and soliciting feedback on how well it functions. So with respect to the amendments we recently made, they reflect a balance of varied interests held within the act. The amendments were also a result of feedback that we heard over the last several years and feedback that certainly was amplified in the last two.

Highlights of the amendments that we’re going to cover today include updates on FOIPPA’s data residency provisions, some enhanced public sector privacy protections and mandatory privacy breach reporting, introduction of a $10 application fee for non-personal freedom-of-information requests, and increased information-sharing powers with Indigenous governments. We added Indigenous cultural protections. We removed some non-inclusive language. And in line with moving towards a more government-to-government relationship with Indigenous partners, we’ve exempted the paying of any application fees for Indigenous partners.

The work of the 2016 Special Committee to Review FOIPPA has been very valuable in the development of the amendments that were recently done, as were the consultations that we undertook. Those consultations included ministries, broader public sector, industry experts, Indigenous organizations, the public and, of course, the Office of the Information and Privacy Commissioner.

We expect that the committee may hear and choose to comment on areas of the act that require further regulation or ministerial direction, and these are really important opportunities to add further protections to the act. We look forward to hearing from this committee and gathering your feedback on how FOIPPA should respond to future and emerging issues.

With that, I’m going to pass it over to Matt Reed. Matt is the acting assistant deputy minister of the corporate information and records management office. He is here to provide you with a presentation that will give you more detail about FOIPPA and its recent amendments.

Matt, over to you.

M. Reed: Thanks, CJ.

The second slide here covers the agenda of what we will actually talk through today. As CJ mentioned, we were asked to give an overview of the act, so I’ll try to do that as quickly as I can. We’ll do a status update so you know what is happening now within the ministry. And then I’ll walk through some of the key amendments.

There are a number of amendments that happened in October. We’ll just do the main ones but welcome any questions on any part of that suite of amendments. Then I’ll just highlight some resources that we’ve made available to other folks around the public sector.

[12:10 p.m.]

This is a very, very high-level review of the act generally and how it operates. You heard us reference it as FOIPPA. You’ll hear the commissioner’s office refer to it as FIPPA. We are talking about the same piece of legislation. It’s just a convention that we both use differently. As you can likely imagine just from the title of it, FOIPPA covers two very different parts of accountability generally. One is around access or freedom of information, and the other is around privacy.

The way that the access side works, as I’m sure many of you are familiar with, is that there is a general right that folks have to make requests of public bodies to get access to the records, whether those are records that relate directly to that person as an individual or to the general operations of that public body. The default position here should be that the public body would be releasing information unless this part of FOIPPA says that there’s a reason why they can’t or may not.

There are some provisions here, some exceptions here, that are mandatory. In the event that information relates to or could encroach on somebody’s personal privacy, we are not permitted to release that information in response to an FOI request, but there are places where it is discretionary. There are a number of exceptions. It could policy advice, or it could be potential harm to a law enforcement matter.

In those instances, then the public body has a choice to make about how they want to use that discretion — to either release the information or to withhold it. All of those have to be contained within the act, so it can’t simply be: “Because we don’t want to.” There has to be a very clear, legislative reason for which we can even have that discussion about whether we should or shouldn’t.

On the privacy side, that works a little bit differently: instead of defaulting to release, it defaults to not release. So when we’re talking about personal information, rather than saying we should release unless there’s an exception, it is that we can only disclose information or we can only collect information if there is a reason specifically set out in the law. In this part of the act, it talks about collection, use and disclosure, the three things you can basically do with someone’s information. You can take it in, you can do something with it, or you can share it with someone else.

In each of those actions, a public body should be looking to FOIPPA to be clear that they are permitted to do that thing so that individuals’ privacy rights, which are built around their control over their information, are respected as much as possible. So there are a number of provisions here that say when something can be shared with another public body or with another person publicly or even if it’s just being shared with one other person. All of those authorities exist within that section of FOIPPA.

Now, I’ve mentioned public bodies a few times, which are what the act actually applies to. There are over 2,900 public bodies in B.C. We are able to reflect the experiences of ministries, because that’s who we know best, but it does apply equally to other agencies — to Crown corps, municipalities or other local governments, school boards, police departments and many other types of bodies. It really speaks to the span of how many bodies there are and how different the business of folks that are having to follow the law is when you compare it against how different these public bodies are.

Of course, I’d be remiss if I didn’t mention that the act also sets out the powers and abilities of the Office of the Information and Privacy Commissioner, whom you’ll be hearing from later today, as I understand. It’s an important role in terms of regulating and overseeing the acts, and all of those powers are similarly set out in the act.

If we jump to the next slide, this is FOIPPA as it is experienced in real life, for ministries specifically. We’ve added a few at-a-glance stats here so that you can get a sense of the scale. When you’re doing your review of the act, there are a number of provisions that relate either to releasing information, to being able to share or collect information, or even things around privacy impact assessments. It’s useful to know what that looks like on the ground, because it is quite substantial in scale.

B.C. is a very active province in terms of FOI, so we do get a very large number of requests. In the most recent fiscal year, it was just over 10,000, but we have, as recently as two years ago, hit over 13,000 requests in one given year — which, at this point, is more than the other western provinces combined. Not more than Ontario — as quite a big province — but per capita, we’re right up there in terms of the number of requests that we get. The number of pages, as a part of that, is again substantial. You can see that.

[12:15 p.m.]

We do quite a good job here in B.C. We’re a bit of a leader in this space, on FOI operations, and we’re one of the few provinces that have centralized our FOI operations within core government. That is how we are able to meet…. Right now we’re on a time response rate of 85 percent, but you can see some other numbers there in terms of how this costs out for government.

There are not as many stats on the privacy front, but just within government you can see that we have, in the previous year, under 1,000, but we have capped over that 1,100 number, in some years, on assessments. It is substantial and should be noted, when you’re considering recommendations, that this is the scale just within 22 public bodies of the 2,900 that are all following this act.

As you’re all very aware, Bill 22 passed in the Legislature in November. Shortly after that bill received royal assent, there were two regulations related to the act that were passed. One relates to the disclosure of personal information outside of Canada, and the other relates to application fees. Those are posted and live. However, there is still quite a bit of work underway to fulfil the other requirements in the act, both in regulations and ministerial directives. We’ll talk a little bit about this as we go on. As a shorthand, these relate to privacy management programs, privacy breach notifications and data-linking programs.

We were asked to provide a status update on the special committee recommendations. Again, you’ll see from the amendments that were recently passed that there are a number of special committee recommendations from the most recent committee that were included in that package. Of the more notable ones, we have the mandatory breach reporting, privacy management programs and the ability to include subsidiary corporations into the scope of the act.

Looking at those recommendations, not all of them were legislative in nature. Some of them relate to things that could be done via policy or things that can be simply done in review. There are a number of places where you would be looking to see where these recommendations were fulfilled. Again, a notable example here would be the Information Management Act, which was a first in Canada, where we’ve got a very strong piece of records management legislation that relates to duty-to-document decisions — an important piece there that we saw as a reflection of the recommendation the special committee passed.

There are a number of recommendations that related to the proactive disclosure of information. This is something that we have existing powers to do, as well as simply an ability to do generally. This is something that you can see through our many proactive disclosure releases that we post on our Open Information site. To give you more hard numbers, on the previous committee, we had nine recommendations that were included in the last round of amendments but an additional eight recommendations that we’ve resolved in other places.

These are the ones that we’ve had the opportunity to complete, but given the size of the package that we passed in the fall, it doesn’t mean that the recommendations that were not included in that are ones that we’ve necessarily denied. It’s simply a time — and other considerations — matter. Because we can’t necessarily do all of the things all at once every time, it’s worth including, in a review, the recommendations that previously had been provided and that could, again, be brought forward.

I’ll talk a little bit about…. I know the special committee hears quite a bit from folks around the province generally, but as a part of our amendments, we took a look at both what we saw and what we heard as part of the previous special committee and did our own consultations around the province as well.

There are a number of consultations that took place through both 2018 and 2019 as well as 2021. I will note that those were the more formal consultations. The way that we work with other public bodies is fairly collabora­tive. We do hear from them, almost constantly, about how the act is working for them generally — whether there’s something that’s working very well or something that’s not working very well. This is kind of an ongoing conversation, as was mentioned by CJ at the beginning.

[12:20 p.m.]

As a part of those formal consultations, we did hear from thousands of people. There are always lots of people that want to provide their input on this act specifically. We did a couple of public engagements, seeking comments from anyone that wished to chime in on those public surveys. We also chatted with some of our key stakeholders in ministries and other public bodies, from industry experts as well.

We had a number of conversations with Indigenous organizations, as well, through the legislative process with treaty First Nation representatives. On top of the public surveys, we did a sort of demographically representative survey, through Ipsos as well, in order to get more targeted feedback as we were looking at the amendments package that went forward most recently as well as a couple of invitations for input distributed to leaders of the over 200 First Nations in B.C.

If we jump to the next slide…. So we’ll jump through a couple of key amendments that we have here. The first one, just given the interest in it generally — we know that folks wanted to hear about this one — is the disclosures outside of Canada and the changes to this framework.

As I noted previously, what we had heard in our consultations and what we’ve heard just generally over the years from our partners in other public bodies and across ministries is that this is an exceptionally challenging requirement to balance with the need to do ministry business or public body business. There are a lot of tools that are not permitted to be used. Yes, there are data centres in Canada. Yes, we can store data in Canada, but that doesn’t mean that all services are available in Canada or that they can take advantage of those data centres.

This isn’t an issue that’s as simple as: “There are data centres here, and therefore, this is something that can be done.” Sometimes it really is about the service and where those services exist or where aspects of those services exist. Even the sort of large scale cloud services that are available within Canada, not all of the functionality or services within those are necessarily available at those Canadian data centres. That’s simply not how the tech sector works anymore.

The solution in this phase was to repeal the data residency provisions that we had in place, but acknowledging that it is not the same to store data in Canada as it is to store it outside of Canada. So what we have done is by repealing the data residency provisions, we have put FOIPPA in a place of being basically identical to the other provinces across Canada. But then we have added in an additional regulation-making authority to allow us to add criteria or conditions on disclosures outside of Canada, which is something that the other provinces don’t have.

As I mentioned, we have passed this regulation already, so what we have required is essentially added diligence around these things. Acknowledging that it is not the same to disclose inside Canada as outside Canada, we want more diligence around those disclosures outside of Canada. Where sensitive information is being disclosed, we want an additional risk assessment built into the normal privacy impact assessment process. Essentially, if there is a potential for additional risk, we want to make sure that that risk is mitigated and managed properly so that information is secure and appropriately managed.

We’ll get into this. Actually, I should have spoken to this earlier. In FOIPPA’s privacy provisions, there are security requirements, as well, which require reasonable security measures to manage against any potential risk. What this additional risk assessment does is…. By asking for more diligence around what you were looking at, it ensures that that is then leaning into the existing security requirements.

If you are going to look for what potential risks exist, you are then legislatively required to ensure that that risk is properly managed. Again, this new solution leans into the framework that we have to ensure that it is responsive to what we need so that public bodies can use the services that they want but are properly managing privacy.

If we jump to the next slide, this is not really an issue or a problem that needed to be solved but rather an opportunity where we could improve the general privacy framework that we have here in B.C. You’ll note from the number of changes that we’ve added here — and I will note these are all recommendations that we heard from the special committee — places where we are increasing and improving the management of privacy generally.

As an example, mandatory breach reporting for public bodies. This is an international best practice that public bodies will soon be required to do, along with having a privacy management program as well. I think we’ll try to put this a little bit further on as well.

[12:25 p.m.]

We’ve also added some greater disincentives to bad privacy behaviours. These are new offences that we’ve added to both collecting or using personal information against the law as well as a few that relate to trying to evade FOI as well. The penalties around these offences have been raised to $50,000. Previously, many of them were around $5,000. This is not necessarily because we are expecting to suddenly start charging people mass amounts of money for every breach that we see. Rather it’s to very clearly communicate the seriousness of going counter to what FOIPPA says is permitted by a public body.

These offences don’t get charged very often. I think, historically, there has only been maybe two. Again, it is very effective in terms of communicating to public servants that things like snooping, as an example, are not permitted.

The last one you’ll see on the slide there is around the power to add subsidiary entities to the scope of FOIPPA. This is, again, something that we saw very clearly from the committee, and we sought to find a solution to this that balanced the issues that we saw as we were diving into that issue.

If we jump to the next slide. This is around application fees for general requests. As I mentioned at the front, B.C. is unique in terms of the number of requests that we get, which has a negative impact, generally, on how long people have to wait for their request. That length of time where that service level, really, for individuals that are asking for information, in our analysis, is best served by having an application fee up front.

What we have done is we have enabled public bodies to charge a $10 application fee for general requests. This is not for an individual asking for their own information but rather for someone asking for, say, a copy of a contract or a copy of a briefing document. Those kinds of requests. I will highlight that we are not requiring that public bodies do this.

Not every public body is in the same situation, generally. Many small public bodies can manage their requests. They maybe don’t get that many and they are easily managed within the time frame they have and this is not something that’s on their radar as a need. You are unlikely to see public bodies that don’t have that need charging this kind of application fee. For other public bodies, it is absolutely something where the service levels are suffering because of it.

What you will see are applicants being a little bit more specific to the request and really working with the public body to ensure that there are records released at the end of that request. So there’s always a conversation that happens between an FOI coordinator, say, and an applicant to…. Not every individual understands how government works, so there’s always a conversation to help them find the records that they are looking for that sort of fall under our duty to assist the applicant.

One note here for government is that we have exempted Indigenous governing entities from paying an application fee. This is, again, trying to recognize that in a government-to-government relationship, information is pro­vided a little bit more readily. We don’t see, necessarily, other government levels making FOI requests, so no charges are incurred there. What we are trying to encourage here is a better information-sharing relationship, generally, and exempting the application fee is a good first step there.

As I mentioned, again, no fee for an individual asking for their own information.

Following on that last item, we are keen to make some updates to the act. We often talk about modernization of FOIPPA and that conversation being kind of technological in terms of what we want the act to be able to reflect. There is a modernization that also needs to happen in terms of the language that is used in the act. If you can see the changes that we made here, you’ll note that some of the language was well outdated and needed to corrected, I would say.

There are a number of other improvements that we’ve made here around having a better information-sharing relationship with Indigenous partners. One of the things that we heard was that the existing 15-year limitation on exempting information from a released FOI was not long enough, because there were harms that extended well past 15 years in negotiations that certainly exceed that amount of time. This is something that we heard directly from some First Nations and were supportive of generally.

[12:30 p.m.]

One of the bigger pieces that we added was a mandatory exception to disclosure on the FOI side to protect sensitive Indigenous cultural information. This is tracking to concepts that are laid out in UNDRIP, in the declaration act, and trying to shift control over that information to the Indigenous peoples to whom it relates. Where there is a potential harm by releasing information, it is only the written consent of that specific Indigenous people that can allow that release of information under FOIPPA. In doing so, we’re hoping that this better reflects the control of information sitting, again, with the peoples to whom the information relates.

This is one thing that we’ve done to protect information, but we’ve also, on the privacy side of things, increased our ability to share information with Indigenous governing entities. What we’re trying to reflect here is an idea that we can provide more information to Indigenous partners, and we can protect information that is provided, in turn, back to government.

Again, these two things kind of work in tandem to hopefully improve the information-sharing relationship generally and reflect on that disclosure authority. If an Indigenous governing entity needs information in order to exercise their rights, it shouldn’t be FOIPPA that stands in the way of that information going to that Indigenous governing entity. It’s just important in terms of reflecting rights that exist generally.

If we jump to the next slides. I won’t dive deep into this slide, generally, but I just wanted to highlight that there are a number of other changes. As I said, the legislative package was significant. We unfortunately don’t the time to go through every item, but I just wanted to highlight a few of the key ones that you might be interested in.

Just as an example, we’re adding a few police chief associations as public bodies. That has not come into force yet but will. To reflect that that’s…. Though it didn’t necessarily start out as being an entity that looked like a public body, it did eventually evolve into that. So be aware those policy discussions are happening. That public body will now be subject to FOIPPA.

Similarly, there are requirements in FOIPPA to notify an individual, when you’re collecting their information, of what you’re collecting it for, the authority you’re collecting it under and contact information. Previously this required a physical mailing address as a part of the contact information. We’ve simply updated that to be contact information, so that could include just an email address, if that’s appropriate. Again, a bit of a modernization effort on FOIPPA, where it previously reflected more of a paper-based public sector.

If we jump to the next slides, there are a couple of items here where the act requires either regulations or ministerial directives to bring into focus the full set of requirements around a couple of items. We wanted to just do a quick touch on some of those.

The first is around privacy management programs. This is something that we heard from the committee that was something that should be included in the act. But a privacy management program isn’t necessarily an instantly understood term. It is, for folks around the table here, a program that ensures that you are planning to be compliant with the act rather than simply being compliant by happenstance. You know, you can not breach information because you’ve not shared it, but you can also plan to be compliant by knowing when you can disclose something and choosing not to disclose it for that same reason. So it’s about being purposeful about being compliant with FOIPPA.

This could include things like having a privacy officer who can do these kinds of things or having privacy policies, as an example. This is a space where we do still need to have a ministerial directive that sets out what is included in a privacy management program — seeking to have something here that is reflective and proportionate to the public bodies. We know that the privacy issues and the privacy abilities of, say, a health authority greatly outstrip that of a very small, local body.

There’s a blueberry commission, as an example. They don’t necessarily have the same resources to devote to this kind of thing. This is a place where we would be interested in hearing from the committee recommendations around what could be considered as part of a privacy management program.

Then, of course, there will be a regulation to bring this into force. Our hope here is that there’s enough time to provide public bodies notice of what this will look like so that they have time to adopt these practices before the requirement comes into effect.

[12:35 p.m.]

If we jump to the next slides. We also have a new requirement around mandatory breach reporting. This is, again, something that came from the previous special committee. The intent here is to notify an individual when something has happened to their information that has a potential for causing significant harm. That could be…. They might be at risk of fraud or theft, some kind of financial harm — physical harm in some instances. Where the information is particularly sensitive is a place where we want to notify individuals of what’s happened with their information so that they can manage themselves in accordance with that understanding.

There is a regulation required here to set out what would be included in the notification. This is another place where we’d be interested in input in terms of what the committee believes would be important for individuals to be instructed on when this kind of thing happens — again, looking to bring this into force with enough time that public bodies can plan for this before it comes into place.

If we go to the next slide, this is, I think, the last item that we’ll jump into substantively. This is around data linking, which was formerly very complex and very difficult to understand. It is still not necessarily the most straightforward concept in the world, but essentially, when we are linking data between different public bodies, there is an additional privacy risk, generally. We do want to make sure that this happens responsibly. We have evolved significantly since this first requirement first came into force in 2010. So it’s not correct to say that all data linking is necessarily very risky privacy behavior, but there is a need to bring modern oversight into this space.

Our hope here…. In terms of working with the commissioner, where the commissioner’s office should have oversight over those data-linking programs where there is potential for risk, we want to make sure that the requirements around data-linking programs lean into that concept around proportionality and appropriateness. I give the commissioner an opportunity to see what is happening. They may elect to do a deeper dive in places where there is more real risk of harm to individuals or where privacy is more important to manage above that usual standard. Again, a more modern oversight framework here is to the benefit, but again, I’m happy to hear from the committee what they might suggest in this space as we evolve into it.

If we go to the next slide, we can move into the question period generally, but just to highlight that we have made a number of resources available both to the public bodies and individuals generally interested through this site. There are a number of different resources there, but we’ve given you just one handy link for when you’d like to look into that.

R. Glumac (Chair): Excellent. Thank you very much for the presentation.

We will now move to questions from committee members.

S. Chant: Good afternoon. Thank you so much. This has been very comprehensive, and I appreciate it.

I’ve got questions and comments — probably about a half-dozen of them.

Rick, do you want me to go through them all at once, or do you want me to keep sticking my hand up and coming back? What would you like? Or give me a time frame.

R. Glumac (Chair): I’m okay with you asking them one at a time, but maybe if it goes on too long, you can go back in the queue and let some others go.

S. Chant: Okay. My first one is that I really think that we need to figure out whether we’re FOIPPA or FIPPA. We need to make a decision on that. That just drives me crazy that there are two options here, because it’s confusing enough with one option.

Anyway, the data that you showed us for 2021…. That is ministries only. My understanding is that for 22 bodies only, we’re spending $31 million a year. If we multiply that by many, many, there’s a lot of money being spent on this stuff. Am I correct?

M. Reed: Yes. That is just for the ministries, but I would say it’s not necessarily…. You can’t simply multiply it against the numbers.

[12:40 p.m.]

S. Chant: No. I understand that. I also feel that if we can get that down and get that money redirected, we might be benefiting people.

Out of the 2016 recommendations, it looks like 17 out of how many were addressed. It looks like nine were addressed one way and eight were addressed another. How many were there total — recommendations — approximately?

M. Reed: I think there were, formally, 39 recommendations, but they weren’t necessarily all within the scope of what we have control to change. Some of them relate to….

I know the commissioner’s office had a few there that they acted on. There are some that relate to different ministries and what they might do and sector-based legislation and some of them that are not recommendations for, say, a legislative or a policy change but rather as simply a consideration. If we considered it and considered what the committee recommended we consider, we didn’t count that as: “Yes. Check. We fulfilled that.” It’s a fuzzy number, for sure.

S. Chant: Okay. We will have access to that information, I assume.

M. Reed: Correct.

S. Chant: Okay. When the consultations were done, was there some kind of report away from that that said: “These are the buckets of places that people were concerned about”? Is that report available to us?

M. Reed: We do have a publicly available report — I think it’s called a what-we-heard report — following those consultations, both in 2018, I believe, and then also in 2021. We have two reports.

S. Chant: We could access that. Okay.

Can you tell me what a subsidiary entity is, please?

M. Reed: The subsidiary entities issue, which was raised in the last committee, relates to businesses that are created by public bodies. There was a report from the commissioner’s office, which is also available on this issue generally, that speaks to subsidiary entities in the post-secondary sector. They have organizations to manage large financial issues that come up. I think land is one of them, as an example.

There’s a fairly comprehensive report from the commissioner on that generally. But in short, it is an organization or a corporation that is established by a public body.

S. Chant: Okay. That’s it for me. Thank you for your help.

R. Glumac (Chair): Before we go to Henry, just a quick follow-up on one of Susie’s questions. She was asking about the state of the recommendations from the previous committee. You had said that we would get access to that information. Will you be providing the committee a table or something that can outline the state of each of the recommendations — whether they’re fulfilled in Bill 22 or through the Information Management Act or in some other…?

M. Reed: Sorry. I misunderstood that request. I presume you’re looking for the 39 recommendations in total. We can take that request back, though.

R. Glumac (Chair): Okay. So that request has been communicated. Thank you.

H. Yao: Thank you so much for the presentation. I do apologize. Like Susie, I’ve got quite a few questions I would like to ask. Forgive me if I ask any question that sounds like I don’t know what I’m talking about. Do forgive me on this one.

The first question I have is…. We often talk about FOIPPA requests, some of them being specific, the other ones almost feeling like fishing requests. Is there any kind of attempt to categorize FOIPPA requests so we can actually understand what are more specifically targeted, as some of the requests are more generic, looking for random information?

M. Reed: Great question. Our hope, generally, with FOIPPA and the way that FOIPPA was originally established, was creating a formal backstop that allows individuals to get information. The hope is always that folks can simply access information readily and generally, whether it’s available on a website or they simply ask a public servant for that information. Then there’s a legislative process where it’s either very complex to provide that information or where someone doesn’t know who to contact. It’s more of an avenue of last resort rather than the totality of all requests.

We certainly don’t want to have all requests for information go through the FOI process, because that’s unnecessarily onerous for all requests. It’s certainly not reflective of all the requests that we get, just those that hit that formal process.

H. Yao: Perfect. On page 4, you guys talk about a proactive disclosure made under the ministry directives, and you have about 3,521. Do you have any historical data for us to do a comparison on?

[12:45 p.m.]

Two, is there any kind of actual directive policy that, if there’s any ministerial change or even government change, they can maintain the same level of proactive disclosure? Or is disclosure still based upon the ministerial directive of the time?

M. Reed: I don’t have the stats available with me now, but we can show the number of proactive disclosures that have been made over the last number of years. Those directives do stand, essentially, until they are repealed. It is a ministerial directive, but they’re not changed when the minister changes. They stay in place until they are repealed.

H. Yao: A quick question about page 7, where you’re talking about different stakeholders. I’ve got just this one generic question. Are the traditional media a part of the stakeholders when you guys are consulted?

M. Reed: FOIPPA is one of those acts that I’d say almost everyone is a stakeholder or at least is invested in the act generally. So for us, it’s always important to hear from everyone, whether it’s through formal means or otherwise, in order to balance their interests generally in terms of whatever sort of policy analysis or position we’re moving in. Yes, everyone is, if not a partner, a stakeholder in FOIPPA in general.

H. Yao: Perfect. Thank you.

On page 10, I have a question about enforcement, which you mentioned earlier. This, unfortunately, was based upon a personal experience where I actually called 811, asking a very generic question. Unfortunately, they would not provide me the answer until I provided my health care number and all of this very personal information, completely unnecessary for the generic question I was asking.

When a government body is actually requesting more information than necessary, what’s the proper protocol, what’s the proper channel, for us to pass that concern on to you so that we can actually have a proper body to address the unnecessary request for information?

M. Reed: A great question, and there’s a different answer, depending on who you’re talking about generally. The best first spot is always the public body that you’re talking to, in terms of just making it clear about your experience generally or that you don’t think that that information is generally necessary. I mentioned earlier that there’s a requirement for public bodies to provide notice when they’re collecting information from you and, in that notice, to provide you their legal authority to collect the information, the purpose of it, and then somebody to talk to if you have questions or problems.

That’s exactly what that contact would be for. I’ve got a contact here. I’m going to phone you up, or I’m going to email you and say: “I don’t understand why this information is necessary.” At that point, they should be able to defend both the purpose and the authority generally. If, at that point, you’re not satisfied with that response, if it’s a ministry that you’re talking about, then you can come to the Ministry of Citizens’ Services to launch that sort of distaste at a broader public sector.

Then you certainly can have a conversation with the commissioner’s office. You can ask them later in the afternoon about that generally. I do know that the commissioner’s office is always keen on mediation and not going through formal processes where unnecessary. The best first step is always going to be, regardless of whether it’s public bodies or the ministry specifically, to first talk to the public body and try to work it out directly with them.

H. Yao: Perfect. I hope you don’t mind just one last question.

On page 16, you guys talk about mandatory breach reporting. If, for example, any kind of information has been breached and thus requires some amount of credit monitoring, does government do any kind of proactive effort to make sure we’re monitoring credits or monitoring any kind of potential misuse of personal identity information that has been leaked or has been breached during the process?

M. Reed: A great question. This kind of relates to what is actually happening in the breach itself. If you’ll recall, notably, there was the LifeLabs incident in the past, where folks that were subject to it were offered credit protection services. Where it is appropriate and necessary, those are often offered, but it’s not necessarily a useful mitigation in all breaches, because sometimes it doesn’t relate at all to credit information or financial information but, rather, relates to, say, somebody’s address or somebody’s health condition, in which case it’s more about ensuring that the individual is aware of who knows what about them.

H. Yao: Okay, perfect. Thank you so much for your time. I really appreciate it.

J. Rustad (Deputy Chair): I also have a number of questions, but I’ll try and maybe do this in a block of questions. The first question I wanted to ask is around the fees and the fee being charged.

[12:50 p.m.]

A number of years ago, many years ago, there were some recommendations coming forward that the amount of people using the emergency room was awfully high and that perhaps a fee should be put in place to try to discourage people from just going into it as a convenience as opposed to going to a clinic or some other thing. During your presentation, you talked about the fee being a way to try to have people think about putting in the applications as opposed to just putting it in.

The question, really, through this, is: is the fee really designed to try to limit the number of people that might come forward with a request for freedom of information?

M. Reed: I’ll use an example here, I think, that’s potentially useful in understanding how the fee can functionally work within government. We have a digital front end of our FOI system which allows you to check box the ministries that you are interested in supplying that request to. Under a system without an application fee, there is no reason not to simply select all ministries, which is a behaviour that we do see quite extensively from folks submitting online forms.

What that means is that that request is then sent out to all of the different ministries. All of the different FOI coordinators are then having to send it out to potentially relevant areas within those ministries, and folks are having to do an adequate search within their records to ensure that they don’t have anything that could relate to it, when that request could more effectively and more appropriately be simply provided to the one or three ministries, potentially, that it is more relevant to.

In that way, it’s ensuring that the request is appropriately framed around what information the individual is actually looking for, because there’s more of a conversation there on the front end to ensure that they’re getting the information that they’re looking for without, again, sort of firing up the whole FOI system on every request.

J. Rustad (Deputy Chair): Perhaps if I could just have some clarity. I’m a little confused, and I have to admit that I’m not overly familiar with actually putting in FOI requests. If there’s a fee associated with putting in a request, is that a fee per ministry request, or is that just a fee per application?

M. Reed: That is per public body.

J. Rustad (Deputy Chair): Per public body. So if you need to get information, for example, on an Indigenous issue that touches on seven different ministries, you would have to charge a $70 fee to get information from those seven different ministries that might have been involved in a decision?

M. Reed: If the records are held by seven different public bodies or seven ministries, then it would, with the exception of where that request is filed by an Indigenous governing entity or someone acting on their behalf, in which case that would be free.

J. Rustad (Deputy Chair): Okay. The second question I have around the same thing is: what is preventing an organization — let’s say a First Nations media outlet — from being able to put forward all their requests of information with no charge, yet their competitors have to be charged a fee? How does that work?

M. Reed: The Indigenous governing entity is a defined term, so it is….

J. Rustad (Deputy Chair): Sorry, let me be clear. I do understand the difference between a governing entity, but if you’ve got a host of First Nations who own a media outlet, they could have one First Nation apply for all of these freedom of information at no charge. Or, for that matter, it could become a business opportunity for a media outlet or a political party or any other organization to partner with a First Nation for a fee, whatever that fee may be, and have all of the freedom-of-information applications come forward through a First Nation.

Please tell me that freedom of information isn’t being set up to allow for that kind of loophole.

M. Reed: Without getting into the specifics of which organizations we’re talking about, the Indigenous governing entities definition is specific to those exercising governmental functions, which would fundamentally be different from media functions.

I think that it’s maybe more useful to talk about a different aspect of this, which is that we often get the questions like, “Okay, well, I won’t make three requests; I’ll combine all of that into one very large request,” which an individual is permitted to do. But what you may see is that the bigger the request gets, the more likely it is to get a processing fee applied to it, because the amount of records that would be applied to that would be so much bigger, would require so much more time, more copying, etc.

Again, it’s not a perfect system generally, but there are mechanisms in place that would generally discourage from, say, all of those requests being piled into one request in that way.

[12:55 p.m.]

J. Rustad (Deputy Chair): Okay. Just the last question on that, because I think I understand what you’re saying with this.

If the purple party decides they want to put in requests, they could have an agreement with First Nation X. First Nation X could just put in those requests at no charge, and there would be no fee to that because it came from a First Nation governing entity in terms of the request, even though the request may be funnelled from there through to other entities. Is that correct?

M. Reed: Well, I won’t speak to the business of Indigenous governments generally, but what we can say is if a request is filed either by or on behalf of an Indigenous governing entity, then there will be no application fee.

J. Rustad (Deputy Chair): Right. Okay, well, there’s a great business opportunity for First Nations in terms of freedom of information.

The last question I’ve got along this line is on the fee itself. Many years ago there was, once again, a suggestion around the emergency room and a charge applied to that, but it was quickly discovered that the cost of processing a fee…. Because it had to be registered, there had to be a receipt, it had to be entered into the cash system, it had to be entered into the accounting, all the rest of that kind of stuff, the fee associated with collecting anything in was going to likely have to cost between $25 and $35 just to recover the cost of charging the fee.

What math or what numbers have you looked at in terms of the fee to make sure that this actually isn’t a cost associated with freedom of information to collect a $10 fee? If you get what I’m going at, in an organization that has union contracts, definitions, there is a process that has to be followed in terms of how that fee is collected, how the receipt is issued, how that’s accounted for, etc., etc. So what is the cost associated with collecting a single fee?

M. Reed: I don’t have the exact number on what that would cost. Certainly, we can look into getting that information generally. But this is one reason why we did not require public bodies to charge it. It’s exactly a reflection on that.

When we’re talking about government, where the scale of the number of requests that we’re getting is over 10,000, the ability to sort of stand up a system to charge a fee and to manage it appropriately is much more relatively in scale than it would be, say, for a small local government that doesn’t receive that many requests. Again, for those bodies, we would expect that that’s probably a very real consideration around whether or not they choose to levy the application fee.

J. Rustad (Deputy Chair): Just to be clear on this, you haven’t done the math in terms of the implications. No one has looked at the costs associated with it. You’re collecting over 10,000 — perhaps 13,000 or more — applications coming in that have to all be processed, that have to be properly accounted for and reported through, and there hasn’t been any analysis associated with the costs of actually doing that work at this stage.

M. Reed: No. I simply said that I don’t have it with us here.

S. Brouwer: I was just going to say that all fees charged by government go through a process with the Treasury Board, and there is actually thorough analysis done on them. The intention here was actually not to collect a stream of revenue but simply to ask people to streamline and focus their requests so we don’t chase around.

It is a minor cost to government. Like many fees we charge, it is mostly automated — Visa cards and this sort of thing. It’s simply pennies. But is it administratively cost-effective to charge a fee? It’s not about the fee. It’s about the process.

We have done that analysis, and we have done that work. As Matt says, he doesn’t have it here today, but we are required in government, as you well know, to go through a fee review process before we charge fees to the public.

J. Rustad (Deputy Chair): In terms of that, then, can we expect that you would be able to provide that, either in person or in writing, back to the committee — in terms of the costs associated with collecting the fees? I suspect the cost would be quite significantly higher than the fee actually being collected.

S. Brouwer: As I said, the intention was not to actually…. The cost of the fee is only a portion of the cost of the process. We are talking about a process that costs $31 million, so the fee is not comparative to the $10 that we collect but rather to the entirety of the process.

[1:00 p.m.]

Pending on what we have available in terms of cabinet confidences, I’m sure we could look to share some of that information with you.

J. Rustad (Deputy Chair): I was going to end it there, but I’m a little confused about cabinet confidentialities about the cost and fees associated with collecting. There should be no cabinet confidentiality associated with that. Having been in cabinet and gone through this, this isn’t exactly confidential information. This is the cost associated with government operation.

S. Brouwer: As I say, I’m happy to look at that. Treasury Board is a subcommittee of cabinet, as you know, and those are the traditions. I’m happy to do what we can to provide the information you’re asking me for.

A. Olsen: Perhaps I’ll just follow up what my colleague was just asking about. I don’t believe that the question was about whether or not this fee was for cost recovery for the $31 million program that is FOI.

I think what my colleague was asking was the cost to administer the collection of the fee. In the determination of the $10 fee, did the government, the ministry, do the math to determine whether or not it was going to cost more to administer the collection of the fee than the fee was going to collect?

S. Brouwer: Thank you for the clarity. I think I answered that I would attempt to get you that information. We would have done that analysis, yes. We don’t have it with us, but I’d be happy to provide it through to the Chair.

A. Olsen: Great. Thanks.

In the presentation here, you say people are waiting too long to get responses for their FOI requests. Can you articulate how it is that charging a $10 fee decreases wait times?

M. Reed: Sure. As I mentioned…. I gave one specific example in terms of how the fee on the front end can more appropriately focus a request to the ministries that are most likely to have information. All of the ministries that are then not included in that request….

Those finite FOI resources from the FOI coordinators, as well as the folks who would have to look at and do searches for the records…. All of that time is then freed up to folks on the requests that they do have that they should appropriately be responding to. There is a very real time and resource availability that becomes availability for the FOI space generally when folks are looking at the requests that are more appropriately focused on their area.

A. Olsen: The fee is, then, the deterrent for people to be seeking information from ministers, ministries.

M. Reed: I wouldn’t use the term “deterrent,” no. Again, as I said, if that request is focused to the places where the information is more likely to be, the individual is going to get the same information. What’s not happening is that all of the other ministries that are doing work to then say: “Listen, we looked, and we don’t have any records, because this doesn’t relate to us….” It’s all of the time for those public bodies or those ministries that is then saved.

A. Olsen: Okay. Thank you for that.

The on-time response rate you were talking about in the presentation was at 85 percent. When the ministry asks for an extension and the applicant agrees and the window is extended…. Does the on-time response number, the 85 percent number that you’ve given here, include people who have agreed to extend past the window that’s acceptable?

M. Reed: Asking for consent to extend a timeline is one of the things that would, legislatively, permit that legislative clock to extend. The on-time rate is reflective of those that have met their legislative due date. Whether it’s extended because the commissioner has permitted it to, the individual has permitted it to, or because it’s exceptionally large and gets that first 30-day extension or any of the other mechanisms under the act that permit that time to be extended…. Sometimes there’s a third-party consultation in the middle which would extend the clock as well.

[1:05 p.m.]

If, for any of those reasons, the timeline is extended and we meet that new timeline, then it would be reflected as on time.

A. Olsen: What is the number of applications currently that an extension is requested and granted, then, from the applicant? Sorry. What is the percentage of requests that are extended?

M. Reed: I don’t have that number in front of me. We could probably kick up the number of extensions that happen generally. But as I said, sometimes the clock is extended for an extension, and there’s a very clear legislative mechanism for when it can be extended, but sometimes it goes past 30 days because there is a mandatory third-party notification in the middle.

If, for example, an individual or a business is potentially harmed by the release of records, and we reach out to that individual or that business in order to assess those harms, that clock is then extended. So it is an extension of a sort, but it’s not a formal extension.

Even a hard number around “This is the number of extensions we provide,” wouldn’t necessarily give you the picture that you’re looking for. The timeliness metrics in general are exceptionally complicated and not necessarily reflective of the whole picture, I think. Certainly it is an area that has room for improvement.

Honestly, we’d be interested to hear from the committee if there are recommendations around what a better metric is for reporting out on the FOI picture generally, because again, we agree that it doesn’t give you the whole picture in terms of all the things that are happening in the very complex FOI system generally. There’s certainly room for more conversation.

A. Olsen: Just taking the presentation on the face of it, it would lead people to believe that 85 percent of the FOI requests are on time, and without asking for further clarification of the question, we find out that, for whatever reason — and there are a multitude of reasons — it’s 85 percent but that there are mandates that we have to get the information to people within a certain time frame.

Just with respect to the recommendations that this committee will come up with, when can we consider, when would we see these recommendations be brought into legislation now that there’s been a substantial update and amendments to this legislation just in the last session? Would we be looking at a series of further amendments in this parliament, or how does that work?

M. Reed: Obviously, I can’t speak to cabinet priorities and timelines there, but what I can say is what we do on the ministry side when we receive the report formally.

The report sits with our policy and legislation branch, and we do a deep dive on each of the recommendations. So while, again, we certainly respect the work of the committee, we can’t simply roll that into a legislative proposal. So there’s still quite a bit of work and analysis and, where there are either gaps or interests, talking to stakeholders as well. So there’s a whole ministry-side process that has to happen first before any kind of change could even be proposed for being included in the legislative package.

That’s the part that I can speak to because that’s the part that we do. That would be the part that takes up the first chunk of time after we receive your recommendations.

A. Olsen: Thank you. I’ll just leave it at this, Mr. Chair. I would definitely be interested in seeing that table of the recommendations and the other various government bodies that need to implement recommendations from previous reports. We might, as a committee, want to consider inviting those other bodies to report on progress that they’ve made on implementing the recommendations from previous committee reports.

I’ll leave it there. Thank you for the time today.

R. Glumac (Chair): CJ, did you want to respond to that?

C. Ritchie: Not to that. Just wanted to go back to the comment on timeliness and the way in which we do reporting. For the committee, the reporting that is done and the way that timeliness is captured has been the same for more than 15 years. So I think that is an area…. If the committee wants to lean in to some emerging issues for FOIPPA and how it can be improved, that would certainly be one of them. We would welcome any of your comments or thoughts or recommendations around the way in which we report.

[1:10 p.m.]

The timeliness is a construction of the way the legislation reports it. We think there are some nuances and complexities that aren’t reflected there that could be. So we’d look forward to hearing more from this committee on that.

T. Shypitka: Just sticking with the application fees…. It’s to increase timelines, for sure — and a speedier process. I heard MLA Olsen refer to the word as a “deterrent” — the $10 fee — and I wasn’t sure what the response was to that. But it’s to speed up timelines, so the $10 fee is added to improve that. I don’t know what the descriptive word would be. Maybe, Matt, you could give me that descriptive word.

What technological options — programs or otherwise — did the government review in order to improve timeliness, before resorting to a fee?

M. Reed: Sure. In terms of…. I think the word you’re looking for is perhaps “incentive.” What the fee does is incentivize better requests that produce more records. Again, I would caution use of this data more generally, but we have seen a reduction in “no records” responses just since November. What we see are applicants working with the ministry to ensure that their request does end up producing records. They’re directing them to ministries that are most likely to have information. So that’s working into a more effective system, generally.

In terms of other mechanisms, this isn’t the first, and this is certainly not the only mechanism that we have looked to add to our operations in order to improve the FOI system generally — even, I’d say, going back as far as 2010, which is when, for the government of B.C., we centralized our FOI services for government into one office here in Citizens’ Services. Previous to that, it was done ministry by ministry — done in each ministry specifically and respectively — which was difficult, because you don’t get a consolidation of experience and knowledge, skill of reviewing and managing those requests. So centralizing those resources was a huge boon to be able to manage the very high volume that we already have.

We have a number of technological systems that we’ve implemented in order to review files more quickly. We have, as an example, technologies that will help properly format weird formats of records that people often ask for, in order to better fit them into our software to review. We’ve recently implemented software to de-duplicate FOI packages so that when the same record appears multiple times in a set of packages, it can be severed consistently so that we can speed up the process of reviewing it on that end.

They’re just a few that come to mind, generally, but there are a number of both policy and procedurally based improvements that we’ve made on the FOI system generally and continue to make to this day. We have a fairly significant FOI project underway to make these kinds of improvements. Even just on the client side, the online form better supports how we receive requests so that we’re better able to manage them as well — not even to get into the staff complement that we have across government to help make this whole system move.

T. Shypitka: Thank you for that. I guess, with all of the efforts that have been done to streamline and bring better timeliness, the decision now is that a $10 fee will much improve all of the other efforts previously done.

I’ll go on to the next one here. Has a head of a public body waived any application fees since royal assent?

M. Reed: We have exempted all Indigenous governing entities, as I mentioned before, from paying that fee. I can’t speak to whether there have been any beyond that, but that’s the notable exception that we’ve made as a policy decision across the program.

T. Shypitka: Thank you for that. I’m not sure how it works, but does the act not stipulate no waiving of fees? How do you get around that?

[1:15 p.m.]

M. Reed: There is no legislative exemption or fee waiver process. If it’s a processing fee — as an example, for printing off papers or for compiling all of the records, whatever the case may be — within the existing fee schedule, there is a formal fee waiver mechanism there, where an individual can apply to the public body to have that fee waived. Those are for the processing fees that existed prior to November.

On the application fee side, there was no fee waiver mechanism put in, so there’s no process for it generally. But it is still with the discretion of a public body whether or not they want to charge that. As I mentioned, smaller public bodies are more likely to opt not to charge the fee because of how it will impact their operations, generally, in order to be able to charge that fee. There is an ability to simply not charge or to exempt from that fee. Generally, there’s just no process for an individual to go through it, because if there was a legislative process or mechanism within the act, then there would have to be a system to administrate that process as well, which would work against the benefit.

T. Shypitka: Okay, some more questions there, but I’ll leave it for now. I’ve just got two more left. Can the ministry then pinpoint the date when discussions about implementing a fee were brought forward? Was there a recommendation in a report to implement a fee?

M. Reed: I don’t have the dates in front of me in terms of where in the process or when it was brought forward. Sorry. I missed the second question.

T. Shypitka: Was there a recommendation in any report to implement a fee?

M. Reed: There’s no report. Again, we’ve mentioned a couple of public reports where there have been some discussions on a number of FOIPPA issues generally, but this is something that was done on the basis of policy analysis, consultation and general sort of legislative change process.

T. Shypitka: Okay, perfect. That leads into my last question on consultation.

The minister has said health authorities and universities asked the government to set the new fee, but Prof. Mark Mac Lean, who’s an elected member of the UBC board of governors, said: “Had this come to UBC board of governors, I would have argued strongly against it. We have enough transparency issues as a public university. We don’t need to add barriers to access to information.”

If the UBC board of governors was not consulted, precisely who was? You mentioned something about, also, First Nations. You replied: “Under consultation, it was discussions.” Do you have a list of what First Nations or entities or organizations, I guess, were consulted or discussed? I mean: two different words. In the slide, it was “discussions,” but under the heading, it was “consultations.” I’d like to get more details on that — if they were actually consultations and with, specifically, what organizations they were.

M. Reed: I think, as I mentioned before, there is a what-we-heard report generally, which has been published. So there’s a broader report on all of the consultations that were undertaken, I do believe — if not underway, then already done.

Through our open information sites, a number of these kinds of records have already been requested generally. I will defer generally to those. I think that maybe as a general comment, the package was fairly significant in its size. We talked to a lot of people about a lot of different aspects of this, so the consultation was different for everybody we were talking to as we talked to them about different subjects that were most likely to impact them in their business.

T. Shypitka: Right. So just the last little follow-up here on that. What, Mr. Reed, do you make of Prof. Mark Mac Lean’s statement on a lack of consultation with UBC board of governors?

S. Brouwer: I don’t think that would be appropriate for Matt to comment on. The minister did refer to UBC and read a quote out from UBC in Hansard. It’s on page 4156 of the November 18 sitting. I think the minister speaks for himself there.

T. Shypitka: All right.

J. Rustad (Deputy Chair): I know we’re running short on time, so I will try to be concise in questions, in case there are other people that would like to ask questions.

I wanted to follow up a little bit on the data residency. Maybe just as a quick first question on that, I believe in the presentation that you talked about how there wasn’t the capacity or the certain attributes you were looking for in British Columbia. First of all, if you could confirm that.

Second of all, was there ever a consideration to actually engage with a company in British Columbia to develop the attributes that you were looking for so that we would have the data within our jurisdiction as opposed to looking at data going outside?

[1:20 p.m.]

M. Reed: If I’m hearing your question correctly, it’s around some services or subservices not being available through Canadian data centres. Is that correct?

J. Rustad (Deputy Chair): I believe that’s what you were talking about, yes. There was an issue around keeping the data local as opposed to it going outside of a Canadian jurisdiction or a British Columbian jurisdiction.

M. Reed: Yeah. The number of services, I would say, that sort of fit that criteria where…. Whether it’s a large multinational or it’s a small software-as-a-service provider generally, it was something we heard very consistently in terms of: “Well, here’s what we can do for you in Canada, and here’s what we can’t.” It wouldn’t necessarily be the case that a business is willing to sort of hand over their proprietary software to someone else to deploy in Canada.

These are the businesses that are actually delivering these services and that are telling us that this is what can and cannot be delivered within Canada. Sometimes, again, having Canadian data centres means that they can move wholesale and say: “Here’s our service, and here it is within Canada.” We saw that with some survey software, as an example. But sometimes it is more complex or more integrated or is not more easily done.

Usually with the larger cloud providers — I use this as an example, not as a specific problem — like, say, a Microsoft or a Google, businesses at that scale, they run large international programs, where some services or some aspects of their platform they will start running in one country or one data geo, one geographical area. Once that gets up to scale, then they will start to deploy it in other countries or other geos, like Canada.

Sometimes we can get the service but not for four years — once it is fully entrenched into that business’s technology model — and sometimes it’s simply that’s just not where that system runs. Sometimes it runs internationally, generally because that’s how the sort of more cloud-based aspect of that program runs. It’s for different reasons for different businesses, but generally, it is something we heard very consistently across the tech sector.

J. Rustad (Deputy Chair): That comes back to the question: was there any effort or any consideration to engage with local companies or even an international company to develop a local solution so that we would be able to be assured that the data was staying in British Columbia?

M. Reed: A hard question to answer, I’d say. As I said, the places where we see this kind of thing happen is everywhere. This is every service, every technology, across every sector, really. So it’s not a matter of: “We’re missing this one big technology; if only there were a B.C. firm to be able to do this.” It’s a little bit more integrated into the tech space generally.

Where there’s a Canadian-based service, that’s great. We always like to use those, because it makes the privacy analysis, the procurement and a lot of things much easier. But even going down that road, we still find that where the rules were not, maybe, well understood or where the program develops or evolves and wants to take advantage of new technology, we’re barred from being able to do that because of those rules.

C. Ritchie: I might add just a couple of points here, if that’s okay. I can confirm, having been in the office of the chief information officer for a long time, even before I was in this particular role, that over the years there have been a number of conversations, particularly with the large tech providers, about having a B.C. presence. Generally speaking, we don’t necessarily represent enough in their revenue stream to compel them to pick up and create headquarters here. There have been some minor exceptions to that, but there have been many conversations over the years.

The other thing I would confirm for you is that the number one concern I heard, as the government chief information officer, from broader public sector CIOs, health authority CIOs and the education sector was their need to have access to modern tools and cloud services. This amendment in the act allows them to do that. Having said that, we’ve been incredibly clear with all of them that this amendment was not going to be a path to a cloud-first or a cloud-only strategy. It would be a very specific and well-considered strategy around what types of information and data could be disclosed outside of Canada.

[1:25 p.m.]

There’d be a number of guard rails — privacy impact assessments, security threat and risk assessments, technological encryption and things — to ensure that for the data that was disclosed outside of Canada it would be safe to do so and that all of the data that would be considered for that path would go through a number of gates to ensure that it was safe to do so.

J. Rustad (Deputy Chair): Thank you. I see others have questions. If there’s time, I’ll come back to some more issues on that.

J. Routledge: Thank you to the ministry staff for taking the time to help us understand this piece of legislation and the complexities of it. I did read the slide deck before the meeting. I thought I understood what was at issue here, but I must admit that as a result of some of the exchange, some of the questions and responses, there are some things I am a bit unclear about.

Specifically, I’d like to follow up with regard to the application fee for general requests. Can you clarify? As I understand it now, the application fee of $10 is discretionary. Is that right — that it’s discretionary, that each ministry, each body, can decide whether or not it will charge the fee, that it is primarily based on the impact that the requests could have on service delivery and on that particular body’s capacity to deliver a service, that it applies to general requests as opposed to specific requests and that it’s designed, really, to streamline the work?

I guess, then, following from that, in the event that there is or is perceived to be an abuse of that discretion, what options are available in order to correct that?

M. Reed: Great question. One thing I would say is that it is discretionary for public bodies on whether or not they’d want to choose to apply the application fee. What we’ve been advising public bodies to do is to make the decision at a public body level and not to say: “Well I don’t really like you, so I’m going to charge you $10 but not somebody else.” There are number of issues that are outside the scope of FOIPPA and just more around discriminatory practices that, obviously, we want to discourage any public body from doing generally.

For government, we’ve made the decision to exempt Indigenous governing entities, as a reflection of what we would like to move that relationship to be: more towards this idea of sharing information on a government-to-government basis and not charging a front-end fee. If the decision is made by a public body to charge the fee, it should be on the basis of their FOI system generally, not this specific request or that specific requester.

J. Routledge: Thank you.

A. Olsen: One of the questions that fell off the side here with respect to the fee — the last question that I’ve got — is just around the fees and equity. When the ministry was considering a fee in order to solve the problem that was identified in the slide, which was wait times or length of times for processing, did it consider the potential problem that it would be creating for people who could not afford those? What investigation was done by the ministry to ensure that they were not limiting access to public information for people who can’t afford a fee?

M. Reed: There was quite a bit of analysis that went into this. Obviously, to make legislative change at all requires significant analysis, but there are a number of mechanisms, generally, that have to be taken into consideration because it is a very dynamic ecosystem in this space.

When we’re talking about access to information, we’re not just talking about people making general FOI requests. What we’re talking about is how people get information informally, how they get it through proactive disclosure, how they can perhaps get access to their own files.

[1:30 p.m.]

It’s having a portal to a service that somebody can download their own file from and, as well, make a formal FOI request for somebody’s own information. All of those things have to be considered together when you’re thinking about how an individual, or how anyone, would be impacted generally by being able to access information and how that fee might impact it.

A. Olsen: Specifically to a fee being applied where a fee was not previously applied in order to achieve an outcome for government, I recognize that there are a number of factors going in to determine whether or not the ministry is going to implement a fee or not or what that fee is. What analysis was done to ensure that low-income British Columbians are not being impacted by this to a greater extent than those who can afford a $10 application fee and afford to be able to do that? Presumably, we want to make sure that we’re treating British Columbians equitably.

M. Reed: For sure. Yeah. As I said, as part of the analysis, there are a number of things that go into that analysis. It includes looking at how things have worked in other provinces, looking at how other fees generally have worked. There’s a lot of data that we can look at that can give a sense of how folks would be impacted by something like this, as well as, again, building that into what other mechanisms we have to share information more broadly across the system.

A. Olsen: Is it fair to say, then, that after that analysis, the ministry made the determination that there would be minimal or limited or no impact on low-income British Columbians, let’s just say, as one — that that wasn’t going to limit their access to public information?

M. Reed: We are quite confident in terms of the strength of our system generally. We have a lot of different mechanisms to release information. We know what kinds of requests we generally get. Truthfully, this is a big part of why individual requests…. A request for somebody’s own information remains free, which is not necessarily the case in every province, because that is the place that is a service that’s most heavily used by people in more vulnerable populations or people that don’t have much access to financial means.

C. Ritchie: We also know that in most cases, requesters tend to have one request per year. There’s a small handful that have five or less. Given the analysis of who’s requesting and that their personal information was exempted, and that there are other ways to get information based on that analysis and looking at the data, we felt that this was a valid option.

J. Rustad (Deputy Chair): I wasn’t sure if there’d be time to squeeze in one more question, but I will ask.

Normally, the work that is asked by this committee to undertake is…. By legislation, I think it’s every couple of terms the committee comes together, and it reviews what’s going on. It engages, of course, with the officer of the Legislature and the ministry and then brings forward recommendations.

Was there a report or a rationale that was given to the ministry with regards to moving forward with these changes that were implemented last fall prior to the committee having the opportunity to be able to do this review and make its recommendations for the ministry?

M. Reed: I think I responded to this, in part, before, which is that I certainly can’t speak to cabinet priorities generally, but a number of factors and considerations that go into any kind of changes…. As I mentioned, in terms of our process, when we receive a report or when we’re expecting a report, there is a fairly significant amount of work and process that goes into reviewing that and understanding the ramifications of what might happen if we adopt all of those recommendations.

[1:35 p.m.]

Generally speaking, we always seek to use legislation as not the first tool, but if we could do something by policy or by process or by practice to accomplish the goals that way, those would have been factors in terms of considering timing generally.

J. Rustad (Deputy Chair): Thanks. I wasn’t so much referring to the recommendations — I mean, the past recommendations from 2016. Obviously, it was five years before the significant changes came forward. Sorry. That’s not necessarily true. Obviously, some of those changes could have been implemented in previous years.

Given that we were so close, I’m just curious as to why we didn’t wait for recommendations to come forward for this. I understand the legislative drafting component and the priorities of government and that side of things. It just seems odd that changes like this — in particular, some of the significant changes — have come forward without having the opportunity for the committee to be able to provide its input so that we didn’t have to necessarily draft up legislation twice, should there be other recommendations to bring forward that the ministry decides it would like to do.

S. Brouwer: Certainly. I’ll be happy to respond to that.

The minister, as you well know, responded to this question a few times in the House during the debate of the legislation. I’ll try to paraphrase her. It was essentially that the legislation hadn’t been substantially updated since 2011, and we had some 35 recommendations that had not been implemented. With COVID in place and the need for modern tools and the consultation work that we had done in 2018 and later updated in 2021, the minister felt that the time was right for that work.

Not to supersede any of the work that this committee will do…. We’re more than happy to accept recommendations, and we look forward to the recommendations coming from this committee. I hope the recommendations that we receive will not be sat on for that number of years and that we would implement them sooner.

R. Glumac (Chair): Thank you. Well, I’ll ask a few questions before we finish here.

Are there stats on the number of requests outside of the ministries? So 10,200 requests within the 22 ministries — how many requests were there in the other 2,900 bodies? Do we know?

M. Reed: Unfortunately, we don’t know. We don’t have a means of, essentially, coordinating that level of engagement and inquiry with all of those different public bodies. We have ours because we consolidate all of the ministries within our central service here. But unfortunately, no, we don’t have that.

R. Glumac (Chair): Okay.

In regards to some of the recommendations from the previous committee that have not been yet acted on, do you have any plans, currently, that you can share on ones that you’re working on?

M. Reed: Yeah, of course. There are a couple that we would just kind of touch the edge of through our time here. Specifically, I’m thinking around privacy breach reporting and privacy management programs. There are recommendations from the last committee around specifically what kinds of things should be considered in this space, and we do still have the regulations and the ministry directives that are required on that.

That is something where if the position of the committee was to change from what existed previously, that would be useful information for us to have to be able to incorporate into the work happening currently. Those are certainly the most prominent recommendations that I think we still have got in motion.

R. Glumac (Chair): Okay. It was brought up previously whether we could get a bit of a breakdown of which recommendations have been acted on and which ones…. You mentioned that some of the recommendations said “consider.” Technically, you could consider it and not do anything. That could be a check box on that one. It’s a caution, I guess, for all committees to not use the word “consider” if you want to see recommendations implemented.

That being said, I would be curious to know whether a consideration would lead to a change or not. And this table…. In the interest of transparency, just for clarity, is that something that we could receive?

M. Reed: Yeah. I don’t have anything sort of prepared to provide, but we will pull the information together so we can give you a sense of what’s happened.

[1:40 p.m.]

R. Glumac (Chair): Okay. Thank you.

Then one final question for me, just around data linking, just so I can understand a little bit. You said that there could be some privacy risks in data linking. Could you give me an example or try to explain what those privacy risks might be?

M. Reed: Sure. I use the term “privacy risk” fairly generously. A privacy risk is anywhere where something is maybe counter to what an individual would be expecting. Like if you provide your information and it’s used for a different reason, that would be a privacy risk.

When you have two public bodies that are looking to share their information together — two databases, and you’re linking them together — that is potentially for a different reason than what the individual provided the information to that public body for. So even though it is permitted under the law, and you’re permitted to share the information, and they are permitted to use it, it still might be for a reason that an individual would say: “Oh. Well, I didn’t know that.”

It potentially raises a higher risk than would otherwise exist for an individual in that space. It’s not a risk like something terrible is going to happen. Sometimes it’s simply just something different.

S. Chant: Can I give you an example of that?

For example, if health and education share data about children and, for whatever reason, somebody goes in and checks, let’s say, vaccination status of children, it’s a shared piece, but it’s not to be used. It’s to be used as a piece of non-aggregate data. It’s not to be used on an individual basis. However, what has happened in the past is that a child is then…. The administration talks to the family about the fact that the child is not vaccinated, which actually was not their information to hold and discuss and share. That’s an example.

R. Glumac (Chair): Thank you.

All right. We’ll go to Tom.

T. Shypitka: I’m not too sure how this works, but I’ve got several questions. But in light of time, is it possible to submit some questions on the record for the minister to answer for the committee? Is that appropriate?

R. Glumac (Chair): Yeah, absolutely. I mean, if you’d like to submit questions, we could pass that off to the ministry and get the answers in writing, if that’s what you’d prefer.

T. Shypitka: Okay. I’ll just ask one question, then, and that’s just on cost on data. Was there any analysis done that looked at the cost implications, positive or negative, of moving data outside of British Columbia and having that data stored and accessed on foreign servers in foreign countries by foreign individuals? Was there any cost analysis done on that? Are we saving money? Is it going to cost money? Cost analysis.

M. Reed: Certainly, financial considerations are always a factor that we consider as a part of any policy analysis.

Yeah. In this particular space, it is a fairly dynamic set of considerations. Again, it’s around the services that you are getting, what you were getting for those services under the former regime, how much it cost to customize or reconfigure a system in order to work within Canada — which was often the case for us, where it was possible to get services within Canada. So there are a number of considerations like that that were built into the analysis of the changes.

T. Shypitka: Sorry. So that cost analysis can be referenced? I can get copies of what was done there?

M. Reed: The analysis itself would be, I think. Some of it is a part of FOI requests that we have underway currently, so I’ll defer to process on that one in terms of what we are permitted to release.

H. Yao: I guess my first question for the Chair is: do we actually have enough time to continue? I just have one quick question.

R. Glumac (Chair): Yeah, go ahead.

H. Yao: Since we’re talking about a lot of analysis…. We’re talking about data residency, and I know the ministerial order was able to allow us to actually access all of the Zoom-based data to actually help British Columbians stay connected.

Is there an analysis discussion in regards to that, if all of those ministerial orders were not provided and we did not have any Bill 22 adjustment? What kind of limitation technology-wise would impact us as British Columbians to staying connected, staying on top of our post-secondary education, staying on top of our business and staying on top of working remotely? Is there any kind of research or any kind of data around that information?

[1:45 p.m.]

M. Reed: As the process of this, the first ministerial order that permitted those kinds of disclosures was issued in March of 2020, shortly after we were all sent home. The original one was, I believe, set to expire after three months. Then we have extended it, I think, two or three times since then, ending most recently in this past December. Every time we renewed it, we were checking in with public bodies to have an understanding of how they were using that order, what would happen if that order weren’t extended and sort of what the repercussions of that would essentially be.

We needed to understand whether…. The pandemic has been a bit of up and down. Sometimes we’re at work, and sometimes we’re at home. So that analysis was, again, fairly dynamic, to ensure that we were aware of what would happen, to a reasonable degree, if we were to not renew that order as the pandemic was progressing. Certainly, that was work that happened as a part of that set of work.

R. Glumac (Chair): All right. Well, I think we’ve all had our chance to ask our questions to you today. Thank you very much for your presentation and for your responses to our questions. We look forward to receiving any other bits of information that we’ve asked for here today.

With that, I think we’ll take a five-minute recess before the next presentation. We’ll meet back here, let’s say, at 1:51.

The committee recessed from 1:46 p.m. to 1:53 p.m.

[R. Glumac in the chair.]

R. Glumac (Chair): Up next, we have a briefing from the Office of the Information and Privacy Commissioner. I’d like to introduce Michael McEvoy.

Michael, if you could introduce who you have with you today, and then you can take it away with your briefing.

OFFICE OF THE INFORMATION
AND PRIVACY COMMISSIONER

M. McEvoy: Thank you, Chair.

Good afternoon, everybody, members of the committee.

I would actually like to begin by, first, respectfully acknowledging that I present to you today from the traditional territories of the Lək̓ʷəŋin̓əŋ people, the Songhees and Esquimalt First Nations.

As you have noted, with me today are deputy commissioners Jeanette Van Den Bulk and oline Twiss with our office.

It is my honour to appear this afternoon to provide this first general briefing as you undertake the important work of reviewing British Columbia’s Freedom of Information and Protection of Privacy Act.

I’m smiling only slightly, because if the member for North Vancouver–Seymour will indulge me, at least for the submission, I will refer to it as FIPPA, as my office has done for nearly 30 years. In fact, that’s the term used in all documents we issue, including legal orders.

With that, let me begin by addressing what I think is an elephant of some size occupying the room with us today. Here I speak of the role of this committee in the wake of the amendments to the legislation that were just passed a few months ago.

[1:55 p.m.]

In my letter of last October to the minister responsible for carriage of those amendments, I described it as baffling that those changes would proceed in advance of your committee having a chance to do its work.

Some others have wondered aloud what would be left for the committee to do considering those changes, and if he did have recommendations to make about further reform, how those would be received by government.

To these matters, I would say that of course I wish the government had allowed you to consider the changes proposed in Bill 22. However, there is still much work to be done, and there remain significant matters unaddressed by the recent amendments that beckon this committee’s review and the government of British Columbia’s consideration. I expect you will hear this from many others as well.

Those who know me know that I am an ardent and passionate believer in our democratic institutions. Though I appreciate the healthy level of skepticism of government’s future intentions in this realm, I believe that your work of consulting widely to gather information and encouraging fulsome public dialogue about proposed amendments is vital to advancing our province’s access and privacy legislation.

The realist in me also thinks that if your work is to gain necessary traction, it will not end with the filing of your report. It will require, I think, that each committee member use the knowledge gained from your consultation with British Columbians to persuade the government to advance the recommendations you put forward.

As you undertake your critical work in considering what are sure to be many submissions, I wanted to offer you a way in which you might think about those suggestions, a lens as it were, that might help guide your deliberations. I think the most useful way to think about FIPPA is that it is a social contract between government and British Columbians. On the one side of the contract, public bodies are permitted to collect information, much of it about us, so that it can function. That collection, amongst other things, allows government to provide important services or to plan public policy and programs.

On the other side of this bargain, British Columbians get an assurance that public bodies are accountable for the information they collect and use, as well as being responsible for the protection of the personal information they gather about us. In concrete terms, accountability is achieved through robust access to information, where citizens have a window into what their public bodies are doing. Responsibility is achieved by ensuring there are proper guardrails around the use of personal information. Those guardrails must be reinforced by robust, independent oversight.

In short, FIPPA is a contract of British Columbians in which government authority to collect, use and disclose information is subject to pillars of accountability and responsibility. I believe one of your most important considerations in undertaking the work ahead is to ensure that the integrity of the social contract is maintained. This is especially so in an era of rapidly changing technology. There is little doubt that these technologies have allowed ever-increasing collection and processing of citizen personal information by public bodies.

To be clear, there are many benefits to society resulting from these advances. Accessing government services becomes easier, and public policy and program planning can become a lot better. However, public trust and confidence in these systems, which is really fundamental to their functioning, is only possible where citizens have a proper window into how government’s business is being done.

As I just alluded, this trust and confidence comes through being able to readily access public body information, subject to certain exceptions of course, and to proper oversight of these matters by our independent office. Trust cannot be based on a one-way mirror, where government knows and sees a lot about us, but we can’t see into its workings.

Where, then, have the amendments in Bill 22 left us? Apart from the concerns I raised during the debate, I would say those amendments were focused on playing catch-up. Much-needed reforms, like mandatory breach notification of snooping offences, adopted in many other jurisdictions, finally gained traction here. Some other changes, like requirements for privacy management programs for public bodies, did bring B.C. forward and serve as an example of what legislators should strive for.

However, what the amendments didn’t fully come to grips with are the advances in the data-driven world we now live in, fueled by a panoply of increasingly sophisticated technologies. What may constitute a record, for example, is a matter that might be something you wish to consider with a fresh lens, given changes in information-gathering technologies. To state the obvious, we no longer live in a paper-based world. Artificial intelligence. Facial recognition technology. Big data and data linking. These all impact our everyday lives, and FIPPA needs to do a better job of addressing them so that the added authority given to public bodies to collect and use data is matched by safeguards of oversight and transparency requirements.

[2:00 p.m.]

I’ll have more to say about these matters in a few minutes. First, I know that you, Chair, have asked, through the Clerk to the Committee, that I spend some time this afternoon talking about the act as it stands now, the work of my office and my perspective on previous special committees’ recommendations from 2016. To that, as I just noted, I will add a few general observations about a potential way forward.

I want to start by giving a brief overview of FIPPA, about which you can find a more fulsome overview in my written submission. The Freedom of Information and Protection of Privacy Act has been in force for nearly 30 years now, since 1993. The purposes of the legislation are essentially threefold. To make public bodies more accountable to the public by providing a right of access to certain records, with certain exceptions. To protect personal privacy by setting out rules around the collection, use and disclosure of personal information. The third purpose is embodied in my role as commissioner, which is to administer the legislation by providing independent oversight of decisions made under it so as to ensure its purposes are achieved.

At this point, it might be useful to give a brief history of the legislation. I feel like I have an intimate relationship with it. Some of you may know that I was an advisor to the Attorney General who piloted the original bill through the Legislature back in 1992. It was, in fact, the first file assigned to me on taking my seat in an office just down the hallway from where we would have gathered this afternoon if an in-person meeting had been possible.

The legislation had been long fought for by many people whose objective was to strengthen accountable government. When it was unanimously passed in 1992, FIPPA was considered state-of-the-art legislation. It was a time, I need to add, when most records to which the act referred were paper-based, and email…. Well, Tom Hanks had not even then met Meg Ryan in the movie You’ve Got Mail, for those of us of an age to remember such things.

FIPPA provides for government accountability by giving the right of a citizen to seek records about what is happening in their community, about how their tax dollars are being used, why decisions are being made about their health care and so much more. This process is also an essential tool for members of the assembly and the media and other organizations to get the information they need to keep the public informed about how their tax dollars and other matters are being dealt with by public bodies. Importantly, anyone can make an access request, and public bodies are required to assist them and respond within established timelines.

As you know, access requests can be subject to fees. The first fee is an application fee that public bodies can charge. It is optional, and it is up to each public body to decide whether to do so. I continue to encourage all public bodies to forgo charging their citizens a fee for making an access request for information. I should also note that unlike other fees allowed under the legislation, I have no ability to consider whether such a fee should be waived in a specific circumstance.

The other type of fee that can be charged by a public body is for certain tasks associated with locating and producing records. This has been part of the legislation since inception, and a public body can use their discretion not to charge, or it can excuse a payment of this fee for a few reasons set out in the act.

In terms of the public’s right of access to records, it is not unlimited. Certain types of records are wholly exempt from an access request — for example, records that are already available for purchase or, more recently added to that list, certain types of records considered metadata.

FIPPA also allows public bodies to withhold requested information in a record in certain circumstances. In some cases, a public body is actually required to withhold information. This would involve such matters as cabinet confidences and information which, if disclosed, would be harmful to business interests of a third party or to someone’s personal privacy. In other cases, like with policy advice, withholding information on the part of the public body is discretionary.

These exceptions were initially crafted, I can attest, with some precision to ensure a fair and reasonable balance between the right of access and the need to protect certain information from disclosure. I think it’s also true to observe that the meaning of some exceptions has broadened considerably in light of certain court decisions. What is meant, for example, by the term “advice and recommendations” in section 13 of the legislation as an exception to disclosure under FIPPA is a good example of a term which has been given wide berth to public bodies to withhold information.

[2:05 p.m.]

While I appreciate that we mostly think about access to information in terms of what individuals request from public bodies, it must not be forgotten that FIPPA does not prevent public bodies from disclosing records without a request, where those records do not contain personal information. In fact, I have highly encouraged — and I continue to encourage — public bodies to engage in this practice of proactive record disclosure, especially where it involves frequently-asked-for information. Not only does it encourage civic engagement and accountability, but it can also save a public body time from having to answer a formal access request on multiple occasions.

There is also a requirement for public bodies to disclose information without delay when the information is about a risk of significant harm to the environment or to the health and safety of the public or a group of people, where that, for any reason, is clearly in the public interest. When triggered, this mandatory disclosure under section 25 of FIPPA overrides any other provision in the act. As you might imagine, it is generally triggered only in extraordinary circumstances.

A good example of section 25’s importance was revealed in our 2016 investigation into soil testing and water quality in the township of Spallumcheen. We determined that it was absolutely critical and clearly in the public interest that the township disclose information concerning soil testing, because it had a direct impact on the safety of the community’s drinking water.

I would now like to turn to the privacy side of FIPPA. The legislation sets out rules for the collection, use and disclosure of personal information. Public bodies can only collect personal information when they have authority to do so, and in most cases, they are required to notify individuals about why they are collecting their information. Public bodies are allowed to disclose the information if doing so would be consistent with the original purpose for collection.

There are several other circumstances in which public bodies can collect, use or disclose information, many of which don’t require the consent of the individual. These would include, for example, disclosures for law enforcement purposes.

The right to collect your personal information also imposes on a public body the responsibility to properly secure and protect it. The degree of that protection can depend on factors such as the sensitivity of the information and the potential for harm should it be disclosed without authority. A person’s medical information will, as a general rule, for example, require higher safeguards than a simple email address or a first name.

In the event that those safeguards fail, there will soon be a requirement for public bodies to notify my office, as well as affected individuals, of a privacy breach where it can be reasonably expected to result in significant harm to the individual. This means that not every single breach will need to come to my office. A single email that goes astray with little consequences, for example, will not need to be reported.

FIPPA also requires public bodies to use various tools and resources to meet their responsibility to protect privacy. For example, public bodies must conduct privacy impact assessments, or PIAs, to determine whether their proposed initiatives comply with the law.

Finally, I’ll note that the recent amendments to FIPPA will require public bodies to develop privacy management programs in accordance with directions of the minister. This is something that my office has long advocated for and in fact issued guidance on back in 2013.

In my remarks this afternoon, I have referred to some specific investigation and audit work that we have accomplished. I now want to speak to my office’s role in more general terms.

As I mentioned earlier on, I am responsible for monitoring how FIPPA is administered to ensure that its purposes are achieved. In broad terms, it means that I undertake investigations and audits, issue binding orders, engage in research and educate and inform the public about FIPPA, as well as commenting on the many different types of government initiatives, as was the case with the recently proposed legislative amendments.

Much of what we do — the meat and potatoes of our work, so to speak — involves requests for reviews and complaints. If a public body decides it’s not going to release information in response to an access request — because they say it’s subject to an exception, for example, like solicitor-client privilege — the requester can come to my office to challenge that decision. Similarly, if a requester is unsatisfied with the way a public body has handled a request — because, they may say, the public body has exceeded the time limit for a response — they can also complain to us.

To give you a better sense of what this means, in the past fiscal year my office received approximately 885 requests for review and complaints about access requests. Whether it’s a request for review or a complaint, our case review team initially processes the matter and sometimes can quickly resolve it. If they can’t, it will be assigned to one of our investigators, who will attempt to resolve it informally, either by working with all parties to achieve consensus or by issuing findings. Mediating these issues can be challenging, because in many cases, the parties before us have a strained relationship.

[2:10 p.m.]

My case review and investigation teams are highly skilled and resolve most of the files, something in the neighbourhood of about 90 percent of them that come before us. In the proportionately smaller number of cases where that doesn’t happen, the matter will proceed to a formal inquiry where an adjudicator will make a binding order subject only to judicial review. I will note that the files that make their way to adjudication are typically complex and contentious matters, the majority of which relate to access requests.

I mentioned the adjudication process in my recent presentation to the Select Standing Committee on Finance and Government Services, and I do think it bears repeating that my office’s responsibility to interpret and apply FIPPA’s meaning is critical to the act’s foundations, from the Indigenous woman seeking records about her grandmother’s incarceration in a juvenile reformatory in the 1940s to homeowners seeking local district government documents explaining geotechnical findings making their properties uninhabitable. The issues at stake in these determinations can often be far-ranging and very significant for the individuals and communities involved.

My office also assists public bodies and organizations that have experienced a privacy breach. Last year we received 92 privacy breach reports related to the work of public bodies. Our comprehensive response to these reports is to provide advice and guidance to public bodies involved and to help ensure that citizens have the information needed to protect themselves against the fallout from those breaches. As a side note, we expect the number of breaches reported to our office to significantly increase with the implementation of mandatory breach notification, and we are actively preparing for this on an operational level.

My office also releases public reports throughout the year conducted by the audit and systemic investigations team. These are usually initiated either in response to a complaint or done proactively. Our look at how the access-to-information system is faring during the COVID epidemic is a recent example. Others include our Section 71 report that looked at how public bodies establish categories of records available without an access request and, of course, our routine report cards on government access-to-information timeliness.

We also teamed up with the B.C. Ombudsperson and the Yukon Ombudsperson and Privacy Commissioner to report out on the challenges to privacy and fairness arising from the use of artificial intelligence in the public sector. The recommendations in this report, I believe, will be of value to the work that you’re doing.

Finally, a very important part of my office’s mandate is education and guidance. We often consult with public bodies seeking our comment on their proposed initiatives or questions. We also routinely release guidance documents for the public and public bodies alike about the legislation and other relevant access and privacy issues. For example, we released information in September following the implementation of the B.C. vaccine card to explain how the card, the public health orders and B.C.’s privacy laws work together.

Collaboration with our counterparts, both across Canada and internationally, also supports our work, advancing our knowledge and expertise in accessing privacy issues. We regularly collaborate with federal-provincial colleagues. Witness our recent joint statement respecting vaccine passports.

I’m going to stop there now on our office’s work because I know that time is at a premium this afternoon, but I will also point you to our written submission, which expands on all of these responsibilities.

I now just want to briefly touch on recommendations made by the previous 2016 special committee. For ease of analysis, I’ve included an appendix in our written submission to you, with a table that shows where Bill 22 amendments addressed 2016 recommendations.

Now, when I say some Bill 22 amendments addressed the 2016 recommendations, I do not mean to say that those recommendations were fully implemented in all cases. For example, the previous special committee recommended extending coverage of the act to what are often called subsidiary corporations.

There was a question about this earlier. These are organizations that in some instances carry out, essentially, government functions but avoid FIPPA accountability because they are not technically a public body. Bill 22 amendments expand the range of entities that the minister can designate a public body but ultimately leaves it to her discretion to do so. In my view, this fell short of the 2016 special committee recommendation, which was to make such coverage automatic when certain criteria are met.

[2:15 p.m.]

In general, I would say that the recent Bill 22 amendments more readily address privacy, penalty and offence recommendations of the 2016 committee than those dealing with improvement of access to information and information management.

With respect to the 2016 recommendations that were not addressed in any fashion by the government in Bill 22, I intend to address those in a detailed way in a follow-up briefing or briefings to you, because I believe there are many that remain relevant and warrant further consideration by your special committee. On the access side, for example, I think you can expect I’ll be proposing recommendations that narrow the exceptions to disclosure that can be used to withhold information and to expand coverage of the act.

I will also be monitoring the impact on the public right of access to information by any public bodies who elect to charge a fee for their citizens to exercise their right. I hope to share some initial insight with you on that issue in the coming months and what that might mean to your recommendations to government.

In terms of privacy, I expect I will make recommendations to you on government use of automated processing and artificial intelligence. Closely related to this, I can advise the committee that I eagerly await the draft set of rules for data linking, which I understand the government is now in the process of drafting, and about which they are required to consult me. Together, these matters carry both significant promise in terms of yielding insights and efficiencies for government, but they carry significant risk for the privacy of British Columbians.

As I mentioned, it is my job to monitor and enforce the act to ensure that its purposes are achieved. In that respect, I observed that the powers of my office have remained largely unchanged since FIPPA was introduced 30 years ago, even though access and privacy issues are only becoming more pronounced and consequential. Therefore, I will also bring forward recommendations that will improve and streamline our processes, while providing stronger and more effective oversight.

In concluding my remarks this afternoon, Chair and committee members, I can do no better than to restate the message I recently gave to the Special Committee to Review the Personal Information Protection Act, our private sector privacy legislation. As lawmakers, as policy-makers and we as regulators, we need to keep up with the times. PIPA was drafted 30 years ago under very different conditions from those which we live under today. Although some elements of the legislation, including its core purposes, have stood the test of time, I think it behooves us to ensure that it adapts to modern challenges so that the citizens of our province are properly served.

I want to thank you all again for your work on behalf of the citizens of British Columbia and for the opportunity to appear before you today. Of course, I welcome, with that, your questions.

R. Glumac (Chair): Thank you very much for the presentation.

Our first question comes from Henry.

H. Yao: I don’t have a question. I just want to make a quick statement.

Michael, thank you so much for being flexible and being so supportive. I know I had quite a few questions regarding FIPPA and PIPA with you in person, addressing some of the challenges. I really appreciate that opportunity. You’ve been educating me and empowering me to support my constituents. For that, I do want to personally thank you.

M. McEvoy: You’re very welcome. It’s absolutely a critical part of the work that we do. As an officer of the institution of the Legislature, it’s, of course, a priority to address the concerns expressed by representatives of the public.

S. Chant: Again, thank you for the presentation. I’m glad to hear the variety and the range and the spectrum of work that you do, and where some of the questions are.

Where I get a little confused…. I’ve been involved with FIPPA for many years, being part of the health sector, and in many variations on a theme. Where I get confused…. I think you used the words “proper window” and “proper oversight,” staying within the guidelines. Now, I worry that a lot of requests — and I’m going to get nailed for this, I’m sure — are not proper. However, I don’t know what mechanism is built into the various public bodies to determine what’s proper and what’s not proper.

I have been there at times when information has been released that makes no sense to release, for a variety of reasons. I worry about the use of proper versus improper release of stuff and proper versus improper oversight.

[2:20 p.m.]

M. McEvoy: Thank you for the questions.

I think at first instance, when a citizen comes to a public body with a request for information, there is an attempt for the public body, as they are obligated to do, to really understand the nature of that request. Sometimes it won’t be entirely clear, so there’s a back-and-forth process that happens, usually to try and narrow the request so that the public body is actually answering what’s being asked for.

First of all, just a big shout-out to those in school districts, municipalities, regional districts and provincial government. The people who work on the front line and deal with those requests are just experts. They care deeply about wanting to make sure the act is performed and the purposes are met.

There may be instances where there is an abuse of the process or, to perhaps use your language, a request is not proper. There is a mechanism in the act to deal with that. Where requests are frivolous or vexatious or in some way abusive of the process, the public body can come to me to ask that those requests be disregarded. In some cases, that absolutely happens, where we make that finding. There is a mechanism in the act that provides for precisely that. Fortunately, it doesn’t happen often, but it is there, in the event that it’s needed.

In the meantime, we have put together in place…. As I noted, many people for many years in civil society and others had advocated strongly for a formal mechanism for access to information. It is part and parcel of, very much integrated into, our democratic system now and our democratic foundations, not just in British Columbia but across Canada and through western democracies. I think everybody recognized that that was a very positive step forward.

J. Rustad (Deputy Chair): Thanks for the presentation.

I always find it curious that the job of freedom of information is to go through and look at the information that can be released. Would it make sense to actually flip this whole issue on its head or on its side and say government should and will release everything, with the exception of what the freedom-of-information officer says cannot be released?

It no longer, then, becomes an issue of a request that has to be gone through, but it becomes a standard by which government must release information proactively. Then the job would be to inform government what should not be released. Would it make sense just to do that and just end this whole issue of, continually, these thousands or tens of thousands of requests for information?

If that makes sense to think about doing that, how would one go about implementing it?

M. McEvoy: Really, at the heart of your question is that release of information is the default position, in essence, in a sense, for government.

I would say a few things about that. First of all, that was something that was discussed in the Legislature, I recall, at the time that the bill was introduced back in the 1990s. There was a sense that the default position of government should be public bodies to release information, for government bodies to be transparent as possible, and that the legislation was designed essentially to be the backstop. That would be kind of the last resort, where you would need to actually make a formal application.

I think the hope was that a culture would develop where public bodies would simply release information on request, no need for forms and all those kinds of things. In reality, of course, that’s not what transpired. It became ultimately a kind of formal mechanism through the act, with the exceptions and so forth. I guess, with the best of intentions, that’s the way it’s turned out to be.

It does point to something else that I have, and our office has, emphasized for years, and that is for public bodies to think more about proactive release of information and, as I mentioned in my comments, particularly where there are frequent requests for information.

[2:25 p.m.]

Rather than having to repeat, going through this process of a formal piece of paper and somebody dealing with it, for example, that information would be posted on a public body’s website or in some other way that would make it readily accessible to the public so that you wouldn’t have to and don’t have to go through this process.

A provision of the act actually says that the minister responsible will actually set out categories of records. You can read our report on that issue.

Your point is well taken in terms of public bodies, I think, taking more steps to proactively release information without the need for formal access-to-information requests.

J. Rustad (Deputy Chair): If I could, just in terms of a follow-up with that. I mean, when this was brought in, in the 1990s, I believe as you said, You’ve Got Mail was the thing, right? The Internet was just new, right? The whole digitization of data and of information and tracking was a very different world back then than it is today. Advance 25-plus years, and we’re in a situation where just about everything is digital anyway. There is such a change in how data is managed already.

It just seems to be that what we’re talking about here is archaic, and really, an overhaul should be considered to look at, I guess, making the rule that government has to release this information, with the exceptions of the information that needs to be withheld. That would be the job of your office.

Anyway, I’m looking at how far we’ve come and also how much farther we’re going to go in the next three to five years in terms of the changes of technology, introduction of 5G and all these types of things. It just doesn’t make sense to me to be doing things in this archaic fashion any longer.

M. McEvoy: Yes. I would share the observation…. Well, I think it makes a persuasive case for the work that you have ahead of you as a committee in engaging these issues.

A. Olsen: I’m going to sneak a question in here. I’ve got to step away to grab my daughter from the bus — one of the joys of working from home.

Nice to see you, Commissioner. I’m just wondering if you could maybe provide a little bit of your perspective on the state of the provincial government’s recordkeeping systems as they are right now. We talk about the changing technological landscape in which the data resides in. Part of that landscape, of course, is the systems and the processes that we, as a government, have in place for all of our public entities to be able to store.

I guess, as a companion question to what my colleague John is just asking with respect to making all of the information public, it has to be stored in a way that is easily accessible and easy for people to find. What, in your perspective, is the state of our recordkeeping systems in the province now?

M. McEvoy: Well, it’s an evolving picture. I think governments, ministries, continue to develop technologies to store, utilize those records that they have in their custody and control. Most recently, I guess just a couple of years ago, government passed the Information Management Act, which makes provision…. Actually, it did bring us, really, into the 21st century, because that act deals specifically with digital records and so forth. I think that was a positive development.

I think there has to be greater oversight over those processes of record management systems, and we’ve advocated that that should come under the auspices of my office. When you think about it, access to information is so inextricably tied to the recordkeeping systems of government. How the people’s information is kept and stored and organized is fundamental to a proper access-to-information system, which is why we advocated and continue to advocate for why the chief records officer should have and that system should have some independent oversight from our office.

I don’t know if that’s answered your question, at least in part.

[2:30 p.m.]

A. Olsen: Yes, it does, absolutely, in part. It was probably a question that I could have asked earlier today in the previous presentation, but it didn’t dawn on me until I was eating something a few minutes later.

To me, it was like we have…. The argument was put forward to put fees in place to help manage what has been characterized as an overburdened and slow process. I’m not sure whether or not the slowness of the response — the pace of the response, I should say — is a result of too many requests or a system that is really inefficient and ineffective at keeping…. So that’s kind of what I’m trying to understand.

That leads me to my next question. I think I’ll just ask for your…. My regrets if I have to stand up and walk out during the middle of it, but I do want to get this on the record. Just with respect to the conversation that was had this morning around fees being a deterrent or an incentive, I’m just wondering if maybe you could provide some comments around some of the things that the ministry could do or could have done in advance of advancing a fee for applications in an effort to achieve what they were talking about — which was to streamline and to, I think, incent people to be more specific in their applications rather than just going straight to charging a fee.

M. McEvoy: Well, I was very clear, and I continue to be very clear, that fees pose a barrier to access. I don’t believe that that was an advisable course of action. Ultimately, that’s what the government determined.

I also think that charging a fee does not necessarily lead to a greater focus or a narrowed focus on the part of an applicant. In fact, it strikes me that the opposite could actually happen. Somebody concerned that, if their question or questions become specific, they will then be having to be charged multiple times for various questions…. In fact, it might incent people to ask a much broader question, a much wider question, because they want to make sure they get a bang for their $10 buck, so to speak.

I think we need to be careful going down that road in terms of logic and what a fee might do for improving a system. Look, imposing a barrier is not going to improve service to the public, I don’t believe. I think governments — and all institutions — need to continue to work on their systems for how they process matters. I know that this government, the previous governments, have been working on ways to make that more efficient, to employ the proper amount of resources necessary, to make those response times — to bring them down.

Part of the work that we’ve done in terms of doing our timeliness reports for government are aimed at exactly that. They’re aimed to be helpful exercises, to assist government in making those systems become better and more efficient. We’ll continue to do that, and I expect we’ll, in all likelihood, issue another report card on that, probably next year. We’ve done them every couple of years.

In short, we’re always looking, as an office, to work with and assist public bodies, to improve their service to the public where we can. I just don’t believe — and I’ve said it on the record many times — that charging a fee accomplishes that end.

T. Shypitka: Thank you, Commissioner, for the presentation.

I just wanted to go into the regulation piece of it here. You mentioned your letter on October 20, and you discussed the desire for the minister to disclose the draft regulations — or the intent, I guess, of the regulations. Has the minister talked to you about the regulations at all so far?

M. McEvoy: Well, first of all, there is a requirement, when there is a draft, that the minister consult with me on that. I expect that will happen, and I expect the ministry is looking at those regulations. They’ve committed themselves to doing so. Obviously, that’s very, very important. You think about government having the ability to link data about all of us — again, for very good and useful purposes of policy planning and so forth — but there are dangers that arise from that.

[2:35 p.m.]

As government, public bodies link information about all of us, which may be in separate sorts of silos of government. Those portraits of all of us as individuals become much, much more sensitive. More is known. So issues, for example, like breaches that could happen on that become more problematic.

The other issue is that linking can be used for purposes of…. Whether to give people benefits, for example, or deny them benefits, where you link, for example, income with your ability to gain certain kinds of benefits from government…. You want to make sure that when linking like that happens, it’s done in a way which is going to ensure fairness, that is going to ensure that if, for example, somebody’s going to be using that kind of linking to deny somebody a service, a human being is involved at some point in the process so it’s not just a machine spitting something out.

Those are the kinds of things that we would look for in regulation around data linking. The minister has committed to that, and I expect our staff will be working together with her very able team to discuss those in some detail.

T. Shypitka: Excellent. You answered my next question on types of regulation that you’d like to see in regards to data linking.

What about the changes to data residency that concern you the most?

M. McEvoy: There was, I think, as the associate deputy mentioned — and certainly I heard it myself when I went across the province talking to university administrators, for example, or health authorities or other public bodies and in the education field as well, K to 12 — the desire to use some of these platforms that would require putting data across our Canadian border. I certainly understood that. The changes that were made that now, I think it’s fair to say, more freely allow for those services to be used can be very positive.

What is really important, though…. I think all public bodies need to keep this in mind. I think the associate deputy made these comments as well this afternoon. I’m not sure these were her words, but it’s to the effect of: “It’s not a free pass.” You need to ensure, if you’re going to be using a service where the data is moving outside of your establishment, that you’re a public body, that you have protections in place when that happens. Whether it’s, in fact, sending it to Alberta or whether it’s sending it to a server even in British Columbia or outside of this country, you need to make sure that those providers are going to properly take care of that data.

You’re entrusted with people’s information, and they expect that you’re going to treat it properly and securely. Just because those prohibitions have been lifted does not lift from those public bodies a responsibility to properly take, in the words of the act, reasonable security measures to ensure that that information is properly held. Those have not been diminished one bit.

T. Shypitka: Thank you. I’m not too sure if you’re well-versed in this or not, but in your opinion, do you think we have enough storage capacity for the requirements that are needed within Canada right now as it stands? Or even more specifically, in British Columbia?

M. McEvoy: Well, I’m not entirely sure how to answer that question. I think, really, from the perspective of public bodies looking to utilize services, it’s often not so much about storage capacity of a server. It’s the actual software application, for example.

A teacher in Cranbrook who wants to utilize this tool because she thinks it’s going to provide better education to her kids…. It involves storage of information on a platform…. That service might not be available in Canada. It’s an American service. So you want to make sure that that’s going to happen and make sure that the information about your students is not being misused. It’s not being used for marketing purposes, stuff like that. It’s properly protected.

It’s that kind of thing, I think, where public bodies want to take advantage of these kinds of tools. It’s not so much a storage issue. It’s taking advantage of certain kinds of applications.

T. Shypitka: You referred to a teacher from Cranbrook. I’m Zooming in from Cranbrook. I’m not sure how you found that information out, but I might have to request….

M. McEvoy: Totally coincidental.

[2:40 p.m.]

T. Shypitka: Last question. What aspects of the newly amended act would you like the committee members to focus on the most?

M. McEvoy: Sorry. When you say the newly…? Or the issues that are not dealt with at this point?

T. Shypitka: Absolutely. Yeah.

M. McEvoy: On the access-to-information side, I would say section 13 of the act, advice and recommendations…. If you look back at 2016 or, in fact, if you go back before then, I think you will see recommendations that the previous committees have made about that exception that public bodies often employ to say to people: “We’re not giving you the information because this is about advice and recommendations.”

The meaning of that term has been so broadened, it has become…. Some have described it, I think, as the Mack Truck of exceptions. It’s significant. I think it would be very good for the committee to consider ways to narrow that exception so that it covers what it was intended to cover, which was a public servant saying: “We believe, government, you should follow this option. This is the solution to our problem.” That would normally not go out.

The factual basis for that opinion — because we can, hopefully, all agree on the facts; they give rise to a government decision — that’s important, even for the public to understand the range of options that at least the government was considering. I think that’s one example.

I think on the offence side of things…. And this goes back to an earlier question about information management systems and how governments manage and public bodies manage information. These are all done according to schedules and really good rules as to what’s kept, what’s not kept, what needs to be archived. When those rules get breached, where there is unlawful destruction of records, that should be the subject, I think, of a sanction under our legislation.

I think there was an opportunity for government to do that this time around. They kind of went partway. They said where information is destroyed in response to an access-to-information request, that will be the subject of a penalty. But, really, when you think about it, when you think about the importance of keeping proper record systems, at any point where people destroy records without authority or contrary to the law, that should be subject to a sanction. Those would be a couple of areas that I would certainly encourage the committee to consider.

On the issue of data linking, again, I would expect the government will be consulting with us about that shortly. But I think that’s important that we move that agenda along as well.

T. Shypitka: Chair, no more questions.

R. Glumac (Chair): I’ll throw in a couple of questions.

The ministry mentioned that there were, I think, eight recommendations from the 2016 committee that were captured in the Information Management Act. In your table, you do a tick box for those ones that are dealt with in Bill 22. Are you in agreement that eight recommendations were dealt with through the Information Management Act?

M. McEvoy: We’ve just had a look at that table that the ministry and the government has provided. I think it’s fair to say we’ll analyze that and take that question, if I may, under advisement to give you a more considered analysis. As I noted in my remarks, we did note where certain recommendations were addressed. I think that was the government submission as well. It didn’t necessarily mean that they were wholly accepted or whatever. They might have been addressed in part.

Certainly, the Information Management Act dealt with a number of issues, including, for example, the duty to document, as it’s called. A requirement that ministries record key decisions about their operations was really important. Again, that was an important advance, but the challenge is that all of those matters are not explicitly under independent oversight. If it were — and I think that’s what the committee should consider in terms of its recommendations — I think it would give the public greater trust and confidence in that system.

[2:45 p.m.]

R. Glumac (Chair): Essentially, you’re saying that if a recommendation was dealt with in the Information Management Act, it wouldn’t be under your oversight. You would rather see these changes in FIPPA?

M. McEvoy: Yes, that’s right. The government of the day back a few years ago really sort of — if I can put it this way — bifurcated the responsibility, took out any reference or did not put any level of oversight over the records management system of government, at least directly, in the Information Management Act.

Again, we’ll be coming back to you with some recommendations with greater specificity as you continue on in your deliberations.

R. Glumac (Chair): One more question. In regards to PIPA, there definitely is a standard in Europe with the General Data Protection Regulation. It’s kind of the leading standard, I think, that the previous committee looked at very closely in terms of the cutting edge of privacy protection in private organizations. Is there anything similar on the public side?

M. McEvoy: The answer, I think, to your question is yes. There are some advances that I think have been looked at, particularly in Europe, that you will want to look to. Again, we will point you to some of these things as you go on in your work.

Artificial intelligence is one of those issues where I think the Europeans have had a very in-depth look. Again, our own work that we’ve done in our office with the ombuds office references that European work, actually. This is going to become an increasingly challenging issue. As artificial intelligence advances, governments will want to take advantage of it.

Again, there are some very good things, potentially, in it for innovation and allowing for better public policy planning. These technologies can be used for that if it’s done in the right way that ensures fairness and ensures that people’s rights are unencumbered. We can look to other jurisdictions to assist in the work, not completely rediscovering the wheel, with regard to some of these things — the way these things have been analyzed and thought about in other places.

R. Glumac (Chair): We have another question from John.

J. Rustad (Deputy Chair): There’s been some conversation about the possible penalties if information is withheld. I guess the question is: what authorities do you have to do investigations as to information being withheld? Also, there is new software, new applications which may not be covered, that may allow a government — current or future governments — to be able to avoid records in terms of the communications.

How do you manage the adjusting technologies, the potential of ministries and/or ministers — I’m not saying any particular government — in a situation to avoid them…? How do you monitor? How do you find ways to make sure that there isn’t an intentional way to avoid records being created that could potentially be FOI’d? Then the second piece of that is the investigative powers to actually determine whether or not there has been a breach.

M. McEvoy: Right. On the first question about my ability to investigate with respect to access requests that perhaps haven’t been met, I have broad authority to do that, under the legislation. In most cases, it’s an issue of arguing about whether something should be disclosed or not, that it’s subject to an exception or not. Ultimately, my office can order the public body to turn that information over, subject only to a judicial review, which on occasion happens — where a public body may go to court to challenge a decision that my adjudicators have made.

In regard to using various platforms in which to conduct government business…. I think that’s probably what you’re referring to. I think our office has said this in the past. It is generally not a good practice to be conducting government business on personal platforms.

[2:50 p.m.]

Freedom of information applies to government business. It does not matter what platform is being used for that business. If you’re using a personal chat function or whatever it is, if it’s government business, it’s subject to the act. That’s why, again, we would advise to keep to formal government channels when you’re doing work. That just makes it easier to organize and makes it easier in terms of being subject to proper searches, and so on.

You raise a practical question. If other mechanisms of other platforms are being used for conducting government business, if an access request comes in to a ministry, people will be asked to review their records with regard to a particular kind of communication that’s being asked for, regardless of whether it’s on their work email. Or it could be on their phone with a program that they have.

We live in a system where we trust and hope in public servants that if asked a question about whether or not they have records in relation to a request, they will disclose that to the access and privacy officer who makes that request, and those records are turned over. Where that doesn’t happen or there’s a suspicion that that’s not the case, that’s a complaint that can be brought to my office, and that’s a matter that we will investigate. I don’t think I’m going to venture too far beyond that in terms of talking about how we would go about investigating those matters.

J. Rustad (Deputy Chair): I appreciate that. Thank you. It just adds to my argument about why we should be looking at the other side of the coin in terms of how this could work. But, anyway, thank you for that information.

T. Shypitka: I forgot that there was one more question I wanted to ask on subsidiary corporations and the concern that your office has on using the discretionary order-making power to add an entity if the minister concludes that it’s in the public interest. As we’ve stated, there’s no criteria governing when this should be done. So how important is it for your office to be included in that discretionary order-making power?

M. McEvoy: Well, what would be very helpful is if the criteria for subsidiary corporations were set out more specifically in the legislation, and then that is something about which, if those criteria are met, that particular entity would come under the legislation automatically.

Just to remind everybody, what we’re talking about here are essentially…. These are bodies. Sometimes, a public body will spin off to do, essentially, the public’s business. But they avoid accountability because they’re “not technically” a public body.

I mean, for example, a university that spins off a subsidiary to deal with its land issues. Those lands are public lands. They’re held by that institution. Now, not everything that they will do will necessarily be subject to disclosure, because there may be some exceptions. But the point is, at least, that they need to be subject to the legislation. What we have now is a situation where it’s entirely within the minister’s discretion as to whether that entity, whatever it is, would be included as a public body.

On occasion — and it’s a matter of public record — I have been critical of government for not including certain bodies as public bodies to ensure accountability. I think clear rules and clear criteria that allow for the inclusion of those bodies to ensure that there’s a window into how these entities are conducting the public’s business are really important.

R. Glumac (Chair): I don’t see any further questions.

With that, I’ll thank you…. Oh, wait. We have one more question.

H. Yao: Thank you so much, Commissioner, for taking your time explaining so many great answers for us.

I did have one question. When you’re talking about, I guess…. Bear with me for my lack of understanding. If a non-profit organization is receiving grants based on taxpayers’ money, do you foresee that as also some kind of organization that should be also subject to FIPPA, in regards to those kind of circumstances? Sorry, I apologize. I’m just trying to wrap my head around this.

[2:55 p.m.]

M. McEvoy: I think the short answer to your question as you describe it is no. I mean, many, many thousands of organizations get government grants. It wouldn’t make their organizations subject to FOI.

The nature, though, of that arrangement between government and various bodies — that’s something that can be the subject of an access request. For example, when government does business with a company, that would be subject to transparency. The public would understand the nature of the business that government is doing with a private entity.

That has been the subject of many access requests from my office. Particularly, my mind takes me back to massive contracts that the government signed with, for example, big tech providers about services. Hundreds of millions of dollars involved. It’s important that the public have some right to understand those kinds of transactions, but simply because government gives an entity money, no, does not make that entity subject to FOI.

If the entity is doing, in effect, the government’s business, so to speak — and that comes down to the subsidiary corporation issue that we’ve talked about — that’s a different thing, but simply because you get money, no, it doesn’t make you subject to FOI.

H. Yao: Again, my apologies. I’m just struggling with wrapping my head around it. Obviously, we’re not talking about the amount of the money, but the origin of the money, which is the taxpayers’ money.

If a non-profit organization receiving a grant from government, providing a service such as mental health support for individuals struggling through COVID, and there are people questioning whether that money is being properly utilized to support the program designated, does this still go under FOI, based upon your criteria you mentioned earlier?

M. McEvoy: In most cases, those organizations would be considered organizations under the Personal Information Protection Act, so they would be considered private organizations, and they are not subject to freedom-of-information legislation. They are subject to requests by individuals for their own information.

If you do business with the agency that you’re talking about, you can ask that agency for your own records, but there’s no general right of access to information about that organization’s business.

H. Yao: My apologies. I understand we definitely don’t have the right to violate an organization in regards to the internal operation and everything, but if a program has been designated and fully funded by government, taxpayers’ money, you don’t think that should be under FOI, then?

M. McEvoy: Well, I think that’s a matter for governments — to ensure, when it puts in place a contract with that agency, that presumably, there are protections in place and benchmarks of accountability. That if there is some issue about whether they’re properly using that money, that governments have the ability to follow-up and ensure that those obligations are being met. But no, it wouldn’t be a matter of getting information from that body that you’re talking about — the agency.

I suppose somebody could always ask government whether they’ve investigated a certain agency and what they’ve found. That’s obviously a possibility. Whether that would then be disclosable would be a whole other question, but not the agency itself.

R. Glumac (Chair): I think that’s our final question. So with that, I’d like to thank you, Commissioner, for your presentation and for helping answer all of our questions. We look forward to the opportunity to meet with you again. Thank you to your staff as well.

With that, committee members, is there…? We have the option to conclude our meeting at this point, or if there’s an interest in any deliberations, we could do that. If you’re interested in talking further, raise your hand.

All right. With that, I think we can conclude the meeting. Motion to adjourn?

From John, seconded by Henry.

Motion approved.

The committee adjourned at 3 p.m.