Information & Ethics Committee on Oct. 2nd, 2006

Thank you, Mr. Chairman.

I apologize for not having my remarks to distribute. I was notified on Friday of the session. I wrote diligently over the weekend, but I didn't have a chance to have it translated.

I thank you for your patience in letting me read my statement into the record.

I'm not able to offer evidence about the specific disclosure of Mr. Jim Bronskill's identity to operational officials, and a number of government organizations, or to exempt staff in the Prime Minister's Office. Apart from seeing a copy of the e-mail minutes of a meeting in which the disclosure of Mr. Bronskill's identity was made, a copy sent to me by a journalist--not by Mr. Bronskill, who had received a copy of the e-mail in response to an access request--I know no more about this particular incident than do the members of this committee. My office has not received a complaint about the matter, and the matter, as I understand, is under investigation by Mrs. Stoddart, the Privacy Commissioner. The Office of the Information Commissioner welcomes that investigation and looks forward to having the benefit of her findings and recommendations in due course.

On the more general issue of the importance of protecting the identities of access requesters from dissemination within government, I will make a few observations. My starting point must be the unanimous decision of the Supreme Court of Canada, written by Justice Gonthier in 2003 in the case of the Information Commissioner versus the Commissioner of the RCMP and the Privacy Commissioner.

Justice Gonthier, for the court, said this:

s. 4(1) of the Access Act provides that every Canadian citizen and permanent resident “has a right to and shall, on request, be given access to any record under the control of a government institution.” This right is not qualified; the Access Act does not confer on the heads of government institutions the power to take into account the identity of the applicant or the purposes underlying a request. In short, it is not open to the RCMP Commissioner

--and, may I add, to any head of institution--

to refuse disclosure on grounds that disclosing the information...will not promote accountability; the Access Act makes this information equally available to each member of the public because it is thought that the availability of such information as a general matter is necessary to ensure the accountability of the state and to promote the capacity of the citizenry to participate in decision-making processes.

At tab 1 of the information I've handed out to you, I've included a copy of that decision of Justice Gonthier. If you're interested in looking up what I've just quoted, that paragraph is on pages 24 and 25 of the English and pages 26 and 27 of the French version.

Those strong words from the Supreme Court of Canada give us these unambiguous messages.

One, in order to make decisions about whether or not to disclose information requested under the Access to Information Act, it is neither necessary nor appropriate to take into account the identity of the access requester or the motivations of the requester.

The second unambiguous lesson is that the reason identities and motivations ought not be put into the decision-making mix is that the right of access must be afforded without discrimination to all if the purposes of the act are to be realized.

The third message is that the purposes that are at stake go to the very heart of a healthy democracy. They are to ensure the accountability of the government and to promote the capacity of the population to be informed and knowledgeable participants in our democratic institutions.

The current law of Canada restricts the disclosure of requests for identities to the use for which the identity was provided or uses consistent with that purpose.

If you look at tab 2 of the materials, you'll see sections 7 and 8 of the Privacy Act. I'll take you to section 7:

Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except

(a) for the purpose for which the information was obtained or compiled by the institution or for use consistent with that purpose;

Section 8 has a similar limit on disclosures of personal information. The name of an individual access requester is personal information. This is enshrined, the need-to-know principle, with respect to the identity of access requesters. The identity of an individual access requester may be used or disclosed without the consent of the individual only for the purpose of processing and answering the request.

For example, the $5 cheque that comes with an access request will be sent to the institution's finance department. In so doing, the finance department will learn the identity of the access requester. That disclosure is permitted. And the request will be assigned to an ATIP analyst, who will send the acknowledgement in reply and who may communicate with the requester to clarify the request, or transmit a fee estimate, or collect a deposit, or to notify of an extension of time and so forth. Disclosure of the requester's identity to the ATIP analyst is necessary to process the request and hence is permitted.

Beyond the ATIP and finance units and perhaps to legal services if there is a need to verify the eligibility of the requester to make a request, generally speaking there is no need for any other government official to be given the requester's identity without the consent of the requester. There is no need, for example, for those searching for the records to know the requester's identity; there is no need for those assessing the likelihood of harm from disclosure to know the requester's identity--that was made clear in the passage I read from the Supreme Court of Canada--there is no need for the public affairs group to know the identity in order to prepare the minister and department for any questions that may arise from the disclosure of the requested records; there is no need for any senior officials in the approval chain, including the minister, the Prime Minister and exempt staffers, to know the identity of access requesters.

What I have described is the legal protection that now exists in the Privacy Act for the identities of individual access requesters. However, there is in statute law no protection for the identities of access requesters who are legal persons rather than individuals. Corporations, NGOs, partnerships, and associations are also frequent users of the Access to Information Act. Businesses make up the largest user group--far more frequent users than individuals such as journalists, MPs, or academics.

That is why in the open government act that was tabled with this committee last fall, it is proposed that the Access to Information Act be amended to include specific protection for the identity of all access requesters. And if you look at tab 3 in the materials I've circulated, and if you look to subsection 4(5) on the second page, the proposal is that:

The identity of a person making a request under subsection (1) may not be disclosed without the consent of the person unless

(a) the disclosure is solely within the government institution to which the request is made; and

(b) the person's identity is only disclosed to the extent that is reasonably necessary to process and answer the request

This provision did not make its way into Bill C-2, the Federal Accountability Act. However, Bill C-2 establishes a duty to assist access requesters without regard to their identity. While this new obligation is positive, it does not restrict the dissemination of requester identities. The Office of the Information Commissioner encourages the government to include the above-quoted open government act provision in any Access to Information Act reform bill it may bring forward.

Improper disclosures of requester identities can no longer be convincingly blamed on ignorance. The Treasury Board has issued guidance on this matter to all departments. And if you look at tab 4 of the materials I've issued to you, at the second page you'll see guidelines on treating the identity of a requester as personal information.

Reports have been made by information commissioners, government training programs remind officials not to disseminate requester identities, and the government's task force on access reform of 2002 reminded public officials of the need to protect the identities of access requesters. The reason for all of this is intuitively known to every public servant, elected official, and exempt staffer. Requester anonymity is necessary to ensure impartiality in the processing of access requests.

We have seen the effects of unnecessary disclosure of requester identity. One is retribution, such as loss of contracts by businesses, loss of access to the Prime Minister's aircraft by journalists, or career retaliation against employees. We have seen threats and bullying--for example, senior officials communicating directly to the access requesters their displeasure at being the targets of access requests. We have seen discriminatory treatment of the access request itself by it being improperly delayed, subjected to inflated fee estimates and 100% deposit demands, refusals of fee waivers, and overly broad application of exemptions to deny access.

In the hand-out, I have included materials that describe a case where disclosure of a requester's identity had some of these adverse effects. If you look at tab 5, that abstract from an annual report of the Information Commissioner had to do with a deputy minister-level official in the Government of Canada who was on secondment to the Tobin government of Newfoundland to help negotiate the Voisey's Bay nickel project. His former department, Fisheries and Oceans, had received access requests about him. You'll see on page 23 that the deputy minister, Mr. Rowat, wrote a letter to the access requester, and the letter said:

It has come to my attention that you and/or your organization are collecting a comprehensive file on my personal and professional activities. Will you please: - notify me in writing if, in fact, you are preparing a file, which in any way concerns me. - If so, advise me of your intended purpose and use of that information. - Provide me with a copy of all current information you have in your files that pertains to me. - All requests or approaches you have in train to collect information on me and my activities, and provide me such information when it is received by you. I am providing a copy of this letter to the Canada Privacy Commissioner.

As you can imagine, the access requester found that to be rather intimidating. The full report, which involved litigation when the official refused to answer the question of who gave him the identity, is set out at that tab.

It has been our experience that this is a very difficult wrongdoing to satisfactorily investigate. It usually happens in oral communications, or by means of easily disposed of post-it notes on ATIP files. It usually happens among officials who are fully aware that their curiosity about identities is improper, hence there is little tendency to come clean under questioning.

ATIP coordinators are in a no-win position. The senior officials who want to know requester identities are those who decide the coordinators' career futures. Yes, there are some individuals with the strength of character to say no to superiors. But let's be realistic, that kind of courage is bound to be the exception, not the rule.

On our prescription, first pass the provisions previously quoted and proposed in the open government act. I refer to tab 3.

Second, pass the provisions proposed in the open government act requiring that decision-making under the Access to Information Act be delegated to the ATIP coordinators. Get it off the tables of the senior officials.

You may be interested to know, for example, that in the Privy Council Office the delegation to answer access requests resides at the assistant secretary level or above. The deputy minister and the minister, along with the ATIP coordinator, should by statute be made legally accountable for respecting the act's rights and obligations. Those suggested provisions are also at tab 3.

Third, when transgressions occur, ensure that there is appropriate discipline and that other public officials are made aware of the discipline.

I know there are two theories about discipline in the public service. The most prevalent is to keep it quiet so it's only known to the individual and the manager. We heard some of that in the testimony of Commissioner Zaccardelli earlier this week, but that has no pedagogical effect within the public service.

Fourth, establish a code of professional ethics for access to information and privacy coordinators, an important element of which is the obligation to protect requester identities.

To assist you in your deliberations, at tab 6 I have included an excerpt from the commissioner's annual report of 1997-98, where we have suggested what the elements of a code of ethics for access coordinators should be, including the requirement of a strict duty to keep confidential the identity of access applicants.

Finally, provide a greater measure of independence from institutional pressure for access to information and privacy coordinators in the same manner as crown counsel are given institutional independence from their departmental clients.

Thank you for giving me the opportunity to make these remarks.

As per the committee's request, we are appearing today before you to give you an overview of the Office of the Privacy Commissioner's investigations process, since your committee is studying issues related to the alleged disclosure of the names of the access to information applicants.

It is our understanding that the Access to Information Act is silent on this front. In other words, there is nothing in the Access to Information Act that specifically indicates that the name of a requester cannot be disclosed. Since there is nothing that says you cannot name the requester, on the surface it would seem that it's not likely a contravention of the Access to Information Act. However, the matter could be a violation of the Privacy Act. This is where our office comes in.

Generally speaking, the name of a requester is considered personal information, and we can investigate to determine whether there has been an inappropriate disclosure of that personal information. The fact that the information happened to be disclosed in an ATIP request to us is incidental, though we do understand and appreciate the larger implications, of course. Whenever personal information is disclosed by a federal department or agency in any context, it may be subject to scrutiny under the Privacy Act.

When faced with any alleged breach, we need to investigate before coming to any kind of determination or conclusion, and each case has to be looked at on a case-by-case basis.

Up until recently, we have not investigated a similar matter for some time and, in the history of our Office, there has only been a handful of cases. Some well-founded, others not. It all depends on the circumstances.

At this point in time we are investigating a matter related to the naming of an ATIP requester and I’m sure you can appreciate that, given this, we are not at liberty to discuss the matter further. Section 33 of the Privacy Act states that our investigations shall be conducted in private, while section 63 of the Privacy Act tells us we have a duty of confidentiality with respect to any information we collect in relation to our investigations. That said, we understand that you would find it useful to have a better understanding of our investigation process under the Privacy Act.

Once we receive a complaint, we begin the process with an initial analysis of whether the allegations fall within our mandate -- whether it’s a matter related to the Privacy Act. Under that law, we can look at cases where a Government department may have improperly collected, used or disclosed an individual’s personal information.

Once we've determined that the matter falls within our jurisdiction, we assign an investigator to the case. We then write to the complainant and the government institution in question to outline key issues in the complaint. We begin to gather all the facts. This process includes interviews with anyone who might have relevant information to offer. We also look at any appropriate documents. The commissioner has the power to summon witnesses, administer oaths, and compel the production of evidence if voluntary cooperation is not forthcoming.

Throughout the course of our investigation we collect all the facts of the case and then follow up with a thorough analysis of that information. The analysis may include discussions between investigators and officials from our legal services, research, and policy branches. The investigator then prepares recommendations to the Privacy Commissioner or her delegate. Those recommendations, along with a summary of the facts gathered during the course of the investigation, are passed on to the complainant and the relevant government department or agency. Both parties can make further comments at this point.

Our ultimate goal is to resolve complaints and stop further privacy breaches. We operate under an ombudsman model, encouraging resolution through negotiation and persuasion. Ultimately it is up to the Privacy Commissioner to objectively decide what the appropriate outcome of the case should be.

The Privacy Commissioner sends letters of findings to the parties and outlines any recommendations she may have.

The commissioner can make a few different kinds of findings. For example, “not well-founded” means she does not believe a person's privacy rights under the law have been breached; “well-founded” means a federal institution violated the Privacy Act; “well-founded but resolved” means there was a privacy breach and the government department has agreed to take steps to prevent a reoccurrence.

Unfortunately, beyond making recommendations, the Privacy Commissioner has no further powers to force government departments to ensure that they implement her recommendations. This is a major gap in the Privacy Act, which is now almost 25 years old and, as you know, badly in need of modernizing. Unlike the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act, PIPEDA, we cannot take the matter to the Federal Court, and no real redress is available to the victim. The only court recourse is for denial of access under the Privacy Act.

The commissioner has outlined her proposal for reform of the Privacy Act in the paper submitted to your committee in June. She looks forward to the opportunity to meet with you again for more in-depth discussion of the Privacy Act reform.

Thank you, Mr. Chairman. I hope this has provided a clear picture of our investigation process. We are pleased to answer any questions.

Mr. Chairman, before continuing, seeing that I have been with the Office of the Privacy Commissioner for a mere seven weeks, although at times it feels like a lifetime, I've asked one of my experienced Privacy Act supervisors to accompany me so as to ensure that accurate information is passed on to the committee. If any question surpasses my present knowledge on a subject, I would, with your permission, defer to Ms. Jan Peszat.

Thank you.

There are quite a few things you've raised there. Maybe I'll deal with the last one first.

We have no objection to government communications functions or ministerial staff knowing what information is going to be released under the access to information so that they can be prepared with house cards and Qs and As and so forth, as long as the process of doing that does not prejudice the requester by either delaying the answer going out or by changing the amount of censoring that's in the document and so forth. That process, I think, can flow without there being any exchange of identities--and some departments do it very well.

So no, as long as timeframes are met under the statute and it is properly applied, we don't have any problem with “sensitive requests” being routed through the communications function of a department.

We do find there is an enormous amount of curiosity, and I don't know if it has to do with question period, the dynamics of question period, about the identities. When I first started in government, ministers seemed to be quite willing to say, “I don't know the answer to that, but I'll find out”. Now there's a desire to know where these questions are going to come from, and how I am going to handle them, and that involves knowing who's going to ask the question. So if there's an access requester who's a member of Parliament who is always trying to get information on the gun registry, then there will be an interest on the part of the government in knowing which MP that is, whether the question can be anticipated from that person.

And there's also a tendency to categorize in such narrow categories that even if the identity is not disclosed, there is still a possibility of prejudicial treatment of the request. So the request will go to the communications function and say, here's what is going to be released, and it is from a media requester--or it is from a member of Parliament requester. And that itself may trigger a process that delays the answer going out . Even depersonalizing will sometimes lead to prejudicial treatment if too many senior levels in the department are involved in the process.

I'm not sure if that gets at the question you were asking or not.

Yes. We did see better education, better understanding, but we also found more subterfuge, the use of post-it notes to transmit the identity of the requester. It wouldn't appear on the actual transmittal slips of the file that went forward, but it would be on yellow post-it notes, to be removed later, and so on.

There were two types of reactions. One was in some areas to be much more professional and careful, and in others it was just to be more devious.

I don't disagree. The point I was making is that if there is a way to have the decisions about disclosure and about preparing ministers for their communications function made entirely devoid of who and what group of individuals may have made the access request--whether they're media...but especially who and what their motivation is, what they are looking for, whether they are doing a story on this or a documentary for that--I think it would lead to a fairer, more impartial application of the Access to Information Act.

The government runs a thing called CAIRS, computerized access to information request system. Every government institution that receives an access request is required to put into the system the subject of the access request, the date received, the department and so forth. The whole purpose of that system is to allow central agencies, the Privy Council Office in particular, to monitor what's coming into the entire system and to coordinate the responses. That is so that one department is not giving out things that another department is.

That system also includes categories for the requester. It does not have the name of the requester, but it has categories, in quite discrete forms. We worry that the system encourages discriminatory treatment. Some will come out--the media requests or the MP requests--and get a lot more hand-wringing, communications, and Qs and As. So they will be later and perhaps less forthcoming.

You have a point. It's not just an identity issue; it's an issue of being preoccupied with what groups as well as what individuals are making access requests.

In my opinion, the two acts do not contradict one another. The Access to Information Act is simply silent on that particular matter. It does not say whether or not we have that right.

However, the Privacy Act very clearly stipulates that, not because it’s an access to information request, but simply because no personal information can be released without the consent of the individual involved.

As to whether a specific clause should be added stating that this is a violation of the Act, I personally believe it would be a good idea. At the present time, only our legislation does that.

I don't sense any daylight between us on this one. I think there's nothing particularly in the Access to Information Act, but there is an appropriate provision in the Privacy Act that protects personal information. I think what the investigation should conclude is whether that personal information--the requester's name--was properly disclosed or improperly disclosed; it depends on the circumstances. Maybe there was consent, or maybe it was already publicly known. I'm not sure what.... There may be some justification for it. I think the prohibition is there, but it is in the Privacy Act, and there are no penalties in either act. The prohibition is in the Privacy Act, and there are no penalties in either act.

Oh, oh!

Yes, she has received calls, and advice was requested from her. I don't know about the Minister of Public Safety and Emergency Preparedness Canada, but I know that she has sat down with the Treasury Board. They've had a conversation in which her advice was sought.

Mr. Chair, I don't know exactly what was said, but--