Review Reports:
Below are the most recent Review Reports issued by the Review Officer. Reports are generally posted within 7 to 10 days of being sent to the parties. These documents are in PDF format, so you may need to install a free version of Acrobat Reader.
Report Release Date: January 9, 2012
Public Body: Halifax Regional Municipality
Issues: 1. Whether the HRM made a request to go in-camera and if
so,
whether it did so appropriately.
2. Whether the HRM has appropriately applied s. 476 [solicitor-client privilege] of the MGA to refuse the Applicant access to the Record.
3. If yes, whether the HRM has properly exercised its discretion to apply s. 476 of the MGA to this Record including whether it considered the appropriate factors in exercising its discretion.
4. Whether the HRM considered or ought to have considered the application of s. 486 [public interest] of the MGA.
5. Whether the HRM considered or ought to have considered the application of s. 485(5) [archival or historical purposes] of the MGA.
Record at Issue: Pursuant to s. 491 of the Municipal Government Act [“MGA”], the Halifax Regional Municipality [“HRM”] has provided the Freedom of Information and Protection of Privacy Review Office with a copy of the complete Record, including the information withheld from the Applicant. At no time are the contents of the Record disclosed or the Record itself released to the Applicant by the Review Officer or her delegated staff.
The Record at issue in this Review is an undated anonymous one page document that has been withheld in full under s. 476 of the MGA – the solicitor-client privilege exemption.
Summary: An Applicant requested personal information from the HRM regarding the land and deeds in the name of relatives between 1940 and 1969 and information regarding the Africville expropriation file. The Record was refused by the HRM based on the solicitor-client exemption under the MGA. The Review Officer found that the solicitor-client exemption did not apply, the HRM failed to consider exercising its discretion to release the Record and the HRM failed to consider public interest and the historical/archival sections of the MGA in the exercise of that discretion.
Findings: The Review Officer made the following findings:
1. I find that the HRM conducted an appropriate search and met its duty to assist the Applicant by making every reasonable effort to assist him by clarifying the scope of his Form 1 and by responding openly, accurately and completely.
2. I find it reasonable, however, that the HRM FOIPOP Administrator, out of an abundance of caution, wanted to make it perfectly clear s/he did not want the HRM’s initial Representations, which had made specific reference to the Record, to be made public in the Review Report.
3. I find that the ultimate decision under the MGA rests with the FOIPOP Administrator as the expert in access to information legislation and ought not to be usurped by the legal department.
4. On reviewing the one page Record, I find the first condition – that the communication be oral or written – is met as the Record is a handwritten note.
5. I find that the second condition – that the communication was confidential – has not been met.
6. I find that the third condition – that the Record is a communication between a client and a legal advisor – has not been met.
7. Having reviewed the Record thoroughly, I find the fourth condition – that the Record is about seeking, formulating or giving legal advice – has not been met.
8. I find that the HRM has failed to meet its burden to demonstrate that the Record is subject to solicitor-client privilege and, therefore, s. 476 of the MGA does not apply.
9. I find the HRM’s position that it never releases a record otherwise subject to the solicitor-client exemption contrary to the MGA and the practice of applying blanket decision-making when it relates to the solicitor-client exemption is unreasonable.
10. I find the factors the HRM listed as ones it would consider if it were to ever exercise its discretion, fall short of the relevant criteria to consider in exercising discretion.
11. I find public interest is relevant.
12. Given the attention paid to the Africville residents and their property interests historically and given that the HRM negotiated a settlement agreement with the Africville Genealogy Society during the material time of this Review, I find even if the solicitor-client exemption were to apply [which I have found it does not], that for the HRM not to exercise its discretion to release an archived record to an Africville descendant, in the public interest, is unreasonable.
13. I find the HRM gave no indication it considered public interest in making its decision.
14. I find that the only reasonable conclusion is that disclosure of the Record is clearly in the public interest.
15. Pursuant to s. 485(5)(a) of the MGA, I find that the disclosure of a Record regarding property interests to a son, grandson and great grandson for persons deceased well over 20 years not to be an unreasonable invasion of anyone’s personal privacy.
16. I find it is reasonable to conclude that the Record is no less than forty years old.
17. Pursuant to s. 485(5)(b) of the MGA, I find the HRM knew the Applicant’s access to information request was for his familial historic research to learn about his relatives’ property interests in Africville.
18. Pursuant to s. 485(5)(c) of the MGA, I find the Applicant is seeking information for an historical purpose for relatives who have been dead for twenty or more years.
19. I find the HRM has failed to give any consideration to s. 485(5) of the MGA.
20. I find that the only reasonable conclusion is the Record should be disclosed pursuant to one or all three of the conditions set out in s. 485(5) of the MGA.
Recommendations: The Review Officer made the following recommendations to the HRM:
1. Release the Record in full to the Applicant.
2. Discontinue the current practice of applying the solicitor-client discretionary exemption as if it were mandatory.
Key Words: Africville, anonymous, archives, burden of proof, client, communication, confidential, delegated authority, discretionary, expropriation, in-camera, historical, history, legal advice, legal advisor, mandatory, onus, override, public interest, reasonable, release, solicitor-client privilege, unreasonable, usurp.
Statutes Considered: Part XX of the Municipal Government Act ss. 462, 462(3)(A), 467, 476, 485(5), 485(5)(a), 485(5)(b), 485(5)(c), 486, 486(1), 490, 491, 495(6).
Case Authorities Cited: NS FI-08-104, FI-09-04, FI-08-47(M), FI-05-08; AB Order 97-007; AB Order 97-003; ON Order M-457; CBC v. Canada (Information Commissioner), 2010 FC 954.
Other Cited: HRM Municipal Archives website Africville [http://halifax.ca/archives/AfricvilleSources.html]; HRM Municipal Archives website Africville Terms and Conditions of Apology and Agreement 2010 [http://www.halifax.ca/africville/Documents/councilreport.pdf]; Remember Africville – Producers Daryl Gray & Shelagh Mackenzie. National Film Board of Canada, 1991; Saunders, Charles R. et al. The Spirit of Africville. Halifax: Formac, 1992. Print; McNairn and Woodbury “Government Information, Access and Privacy”; Government of Ontario, FOIPOP Manual.
Report Release Date: December 13, 2011
Public Body: Department of Labour and Advanced Education
Issues:
Whether the Department of Labour and Advanced Education [“Labour”]
appropriately applied the Freedom of Information and Protection of
Privacy Act [“Act”] and, in particular:
1. Whether the Record was prepared in an appropriate manner including whether a complete search for responsive Records was conducted.
2. Whether Labour applied the exemptions in a blanket manner or whether severing could have been applied to the responsive Record in accordance with section 5(2) of the Act.
3. Whether the withheld information would reveal the substance of Executive Council deliberations [section 13(1)].
4. Whether the withheld information fits the definition of advice or recommendations [section 14(1)].
5. Whether the withheld information could reasonably be expected to harm law enforcement [section 15(1)(a)].
6. Whether the withheld information could reasonably be expected to reveal any information relating to or used in the exercise of prosecutorial discretion [section 15(1)(f)].
7. Whether the withheld information could reasonably be expected to deprive a person of the right to a fair trial or impartial adjudication [section 15(1)(g)].
8. Whether the withheld information is in a law-enforcement record and whether the disclosure would be an offence [section 15(2)(a)].
9. Whether the withheld information is in a law-enforcement record and the disclosure could reasonably be expected to expose someone to civil liability [section 15(2)(b)].
10. Whether the withheld information fits the definition of solicitor-client privilege [section 16].
11. Whether “not applicable” can be used to sever information from a responsive record. If yes, whether the information is in fact not applicable.
12. Where it has been determined that a discretionary exemption applies, whether Labour has properly exercised its discretion to apply the discretionary exemptions.
13.Whether the withheld information fits the definition of personal information.
14.If yes to #13, whether the disclosure would be an unreasonable invasion of third party privacy [section 20].
15.Whether the withheld information meets the three-part test for business information [section 21].
16.Whether Labour has caused an inordinate delay in the processing of the Application for Access to a Record and during the Review process.
17.Whether Labour has met its duty to assist [section 7], including whether its disclosure decisions were open, accurate and complete.
18.Whether public interest is a factor that should be considered in this case [section 31].
19.Whether Labour has misunderstood how to make an in-camera Representation and who controls the Review process involving the exchange of Representations between parties.
Record at Issue: Pursuant to s. 38 of the Act, Labour has provided the Freedom of Information and Protection of Privacy [“FOIPOP”] Review Office with a copy of the complete Record, including the information withheld from the Applicant. At no time are the contents of the Record disclosed or the Record itself released to the Applicant by the FOIPOP Review Officer or her delegated staff.
The Record in this Review is a very large Record [approximately 2059 pages] and consists of a variety of document types. The responsive Record relates to an Occupational Health and Safety investigation in which the Applicant was the complainant.
Findings: The
Review Officer made the following Findings:
1. I find that the Applicant has not received an “open, accurate and complete” decision, which may result partly from an incomplete search. The Act requires a public body to “make every reasonable effort to assist the applicant and to respond without delay, openly, accurately and completely.”
2. Where exemptions are relied upon and portions of the Record severed, I find that Labour has not provided any explanation as to how it exercised its discretion.
3. I find in this Review Labour did put its mind to preparing an Index, was granted time extensions based on its representation that it needed time to prepare the Index and finally reneged on its promise to provide an Index that would not only have been prudent but in this case absolutely necessary.
4. I find that by not retaining a copy of the severed Record sent to the Applicant, Labour appears to be in violation of the Government Records Act and, thus, is not in compliance with the Standards for Administrative Records for administrative records belonging to a public body of the government of Nova Scotia.
5. On a review of the entire Record, I find that the Applicant has not received an “open, accurate and complete” decision as a result of the way in which the Record has been prepared or produced as it does not meet that test of accurate and complete.
6. I find that had Labour, three years ago, created and Index as it promised to do repeatedly, assigned particular exemptions to particular parts of pages in the Record, three things may have been accomplished: the Applicant would understand what and why portions of the Record had been withheld and thus Labour would have met its duty to assist; both the Applicant and the Review Office would have been able to understand why hundreds of pages appear to be missing; and the Review Office would have been better able to guide the Applicant and Labour to a narrowed Review scope and a possible informal resolution. Further, I find that the kind of blanket application of multiple exemptions is not the appropriate manner in which to redact a record.
7. Labour has not addressed any part of the test under s. 13(1) of the Act, and it is completely unclear to which part of the Record Labour is attempting to apply s. 13(1). I find Labour has failed to prove that the disclosure of information would reveal the substance of Executive Council deliberations.
8. I find Labour has failed to provide anything to show that the definition of advice has been met and has failed to file any evidence that advice was sought or anticipated or to name anyone who was given the advice who could take action with respect to that advice.
9. The onus is on Labour to show (1) what law enforcement matter is affected; (2) identify the harm; and (3) directly connect the disclosure with the contemplated harm. While there was an investigation and a proposed prosecution that did not proceed, both were concluded prior to Labour making Decision #1 and its first release of the severed Record. In any event, and this applies equally to the discussion below for Issues #7 and #8, I find that Labour has failed to provide any details to meet the “expectation of harm test”, which is an essential element.
10.I find the onus is on Labour to show how the disclosure of information would reveal information about prosecutorial discretion [such as decisions that were made] and I find Labour has failed to meet this onus.
11.I find Labour appears to have misunderstood the status quo at the time of the original Application for Access to a Record in relation to the fact that the investigation was finished and the prosecution withdrawn. I find Labour has failed to demonstrate how the fair trial exemption applies to any part of the Record.
12.I find the onus is on Labour to provide (1) evidence that the Record is in a law enforcement record and (2) the name and section of the enactment that makes disclosure an offence and Labour has failed to meet this onus.
13.I find Labour has failed to show how the release of any part of the Record could reasonably be expected to expose anyone to civil liability.
14.Labour is relying on the litigation branch of solicitor-client privilege because it referred to advice with respect to a pending prosecution. I find that Labour has failed to provide any evidence to demonstrate any portion of the Record falls within the communication branch of solicitor-client privilege.
15.I find that when a decision was made not to proceed with prosecution and charges dropped, the solicitor-client privilege exemption was no longer available to Labour.
16.In cases where parts of the Record are personal information, I find Labour should have claimed s. 20, an exemption that allows for personal information to be severed, rather than using “not applicable” as if it were an exemption.
17.I find that records management starts with the creation of a record and those working for public bodies should be cognizant of what is documented in a record. When communicating by e-mail about core business, public servants need to be cautious to restrict e-mail to the business matter at hand or risk personal discussions being made public.
18.I find Labour has erred on the side of withholding information in exercising its discretion.
19.I find that Labour cannot apply any of the discretionary exemptions claimed to any part of the Record.
20.I find that Labour has failed to demonstrate how all three parts of the s. 21 exemption apply to the Record.
21.I find the delay of three years since Labour received this Application for Access to a Record from the Applicant was excessive and could have been significantly reduced by the preparation of an Index and attention to detail in preparing the Record [line-by-line review] and noting exemptions and parts thereof for the Applicant.
22.I find Labour continues to show a lack of respect for applicants’ fundamental right of access to information guaranteed by the Act and as interpreted by the Courts. I also find Labour continues to show a blatant disregard for the Review process as an independent impartial oversight body that has the statutory authority to Review its decisions under the Act.
23.I find that Labour partially met its statutory duty to assist by waiving the application and processing fees for the Applicant. I also find that Labour assisted by provided information to the Applicant that s/he had provided to or received from Labour to avoid the absurd result consequence. However, I find Labour failed in its decision letters to give any comprehensive reasons or indication how it exercised its discretion as required by the Act. I also find that Labour’s failure to provide an Index to be most importantly a breach of promise to do so which it made on at least ten separate occasions. Because of the Record’s size and the disorganized manner in which it was produced and provided to the Review Office, this failure was unhelpful and completely inappropriate.
24.I find that when exercising its discretion under all discretionary exemptions, Labour failed to consider the public interest in the Applicant needing to know as much information as possible in such circumstances. Labour should be aware of this need to know particularly as Labour represented its mandate to be a responsibility for safety in the workplace. I find Labour should have considered factors such as compassion, necessity, fairness and clarity in exercising its discretion taking into account public interest.
25.I find Labour has not complied with requests to provide Representations to the Review Office in a timely manner and it has chosen to disregard the delegated authority given the Review Office team.
26.I find there to be considerable confusion about the Review process and in particular the burden on Labour throughout the process to meet the onuses set by the statute. It appears Labour has totally disregarded the Investigation Summary provided for the primary purpose of assisting parties in preparing final Representations. I find Labour incorrectly takes the position that it determines what is at issue and when and how to respond in a Review.
Recommendations: The Review Officer made the following Recommendations to Labour:
1. Release to the Applicant all information withheld under exemptions for which Labour did not meet the onus to withhold, which includes all instances of the following: s. 13(1) [cabinet deliberations], 14(1) [advice and recommendation], all of s. 15 including 15(1)(a) [law enforcement], (d) [confidential sources], (f) [prosecutorial discretion], (g) [fair trial] and 15(2)(a) [offence], (b) [civil liability], 16 [solicitor-client], 21 [trade secrets].
2. Provide the Applicant with copies of all the missing pages that were outlined in the Appendix provided to Labour by the Review Office Director on September 14, 2011.
3. Review all information marked as “not applicable” and release all responsive portions of that information to which no exemption applies. Where an exemption such as s. 20 applies, note that on the severed Record with an explanation.
4. Specifically release to the Applicant the complete unsevered expert’s report [ensure all pages are included in the release as there were three pages missing even in the copy provided to the Review Office].
5. Make every effort to resource the FOIPOP office adequately and appropriately particularly when the FOIPOP Administrator is unavailable for a variety of reasons where those reasons do not relate to operational requirements.
6. For all future Applications for Access to a Record, Labour adhere to the record retention schedule set out by statute and in STAR [the Standard for Administrative Records - Information Management Group 5200 -30], Information Access and Privacy Management and retain a copy of all versions of a record provided to the applicant, third parties and the Review Officer.
7. Provide the Review Office with a complete copy of the Record provided to the Applicant in response to these Recommendations.
Key Words: advice, blanket, burden, complaint, delay, delegation, discretion, employment, Executive Council, exemption, extension request, fair trial, head of the public body, in-camera, index of records, investigation, law enforcement, line-by-line, litigation privilege, onus, openly accurately and completely, personal information, prosecutorial discretion, reasons, recommendation, records management, solicitor-client privilege, STAR, unreasonably interfere with the operation of the public body, witness statements, workplace.
Statutes Considered: Freedom of Information and Protection of Privacy Act, ss. 2, 13(1); 14(1); 15(1)(a),(d),(f),(g) and 15(2)(a),(b); 16; 20(1); 20(3)(b),(g); 21(1)(a)(ii),(b),(c)(i)(ii) and (iii); Occupational Health and Safety Act; Government Records Act ss. 9, 12.
Case Authorities Cited: NS Review Reports FI-10-41/FI-10-85/FI-10-86/FI-10-87, FI-07-58, FI-07-60, FI-10-26, FI-07-14, FI-04-50, FI-07-32, FI-06-71(M), FI-08-39, FI-08-107, FI-08-104; O’Connor v. Nova Scotia (Minister of the Priorities and Planning Secretariat) 2001 NSCA 132; R. v. Fuller, 2003 NSSC 58; Canadian Broadcasting Corporation v. Canada (Information Commissioner), 2010 FC 954; AB Order 96-006, AB Order 2001-002; BC Order 02-38, BC Order F05-27, BC Order 04-22; ON Order MO-2183; ON Order PO-2789; ON Order M-14; BC Order F06-11.
Others Cited: Alberta FOIP Guidelines and Practices (2009); Standard for Administrative Records - Information Management Group 5200 -30 [STAR].
Report Release Date: December 1, 2011
Public Body: Municipality of the County of Kings
Issues: Whether the Municipality of the County of Kings [“Kings County”] is in contravention of Part XX of the Municipal Government Act [“MGA”] and, in particular:
1. Whether Kings County’s fee calculation is fair and accurate?
2. Whether Kings County’s decision not to waive all or part of the fees
is fair in the circumstances?
Record at Issue: No Record has been provided to the Review Officer by Kings County as the only issue is with respect to fee estimate.
Findings: The Review Officer made the following findings with respect to the fee estimate provided to the Applicant by Kings County:
1. I find that Kings County had the statutory authority to make a decision as to what fees it could charge and to exercise its discretion to waive all or part of the fees to the Applicant.
2. I find Kings County is entitled to require the Applicant to pay fees for locating the Record, preparing the Record for disclosure and for making a copy of the Record if the Applicant asks for a copy, but the fees allowable under the MGA are limited to the actual costs to the public body.
3. I find the Applicant cannot be charged for work already done vis-ŕ-vis the Record.
4. I find the nearly 2,600 pages of information already posted to the Kings County website does not fall under the MGA and should not form part of the public body’s response to the access request.
5. I find Kings County has conflated search and severing because it has charged twice for one step in the process [$1,200 and $6,960], a kind of double-dipping which is not permitted under the Regulations: Kings County has charged once for locating all the emails [search] and then charged a second time to review what it has located to determine if the emails are responsive [search] and then again to determine if any exemptions apply [severing]. While search and severing are two allowable and distinct steps under the Regulations, two separate charges for search are not permissible.
6. I find public bodies cannot charge legal or consultation fees as they are not a permissible factor to be considered under the Regulations. Only what is included in the Regulations can form part of a fee estimate.
7. In exercising its discretion, I find Kings County failed to take into account the Applicant’s Representations that include:
§ The Applicant’s Form 1 did not request a copy of the Record but only asked to “examine the record.”
§ The Applicant’s letter of February 9, 2011 indicated that the Record was likely to be only 100 pages and did not want a reprint of the complete file, to which the Applicant already had access.
§ The Applicant was familiar with the Record and while s/he was not able to provide keywords for the search s/he was willing to sit down with Kings County to narrow the scope of the search.
§ Approximately 2,600 pages of records related to the named planning application were publicly available on Kings County’s website as of August 30, 2011.
§ The Request for Proposals Terms of Reference document (date issued) produced by Kings County for “planning application support services” states, at Section 8.1:
Municipal staff will also perform the following, as part of the application process:
... File maintenance. All correspondence, including email correspondence, regarding the file shall be provided to the Planner.
10. I find Kings County has not provided an estimate proportionate to the work required, has not worked with the Applicant efficiently and effectively to narrow the scope of the request and has failed to respond accurately to what the Applicant had requested.
11. Because the public body misconstrued or failed to focus on what the Applicant was actually seeking access to, I find King County inflated its fee estimate and, therefore, the calculation was not fair or equitable.
12. I find the fee estimate to be so inflated that it amounts to shifting an unreasonable burden of the cost from the public body to the Applicant thus setting up a barrier to the Applicant’s statutory right to access information.
13. I find the Applicant made it clear on the Form 1 and the accompanying letter that s/he sought to have access to examine the Record and not to receive copies of any part of the Record to which s/he had already had access.
14. I find Kings County failed to make a concerted effort to work with the Applicant, despite the fact that it had required the Applicant to make the Application for Access to a Record in order to locate the Records the Applicant felt were missing from their records.
15. I find Kings County did not respond to the Applicant in an appropriate manner, it did not work with the Applicant to narrow or clarify the request, it did not provide anything to the Applicant free of charge and the request likely does not involve a large volume.
16. I find that the Applicant could have made a greater effort to narrow the scope (though s/he did try to some extent), stick to his/her original request to view the Record rather than obtaining a copy and propose a compromise given the circumstances.
17. I find, considering all of the factors, on balance, the decision not to waive part or all of the fees, in these circumstances, not to be unfair or unreasonable.
Recommendations: The Review Officer made the following Recommendations:
1. Kings County provide the Applicant with the opportunity to view the Record already compiled and thereafter conduct a search of what may be missing from the compiled Record.
2. In order to comply with Recommendation #1, Kings County will meet with the Applicant and together conduct an electronic search for the Record.
3. After conducting the electronic search together, Kings County will provide the Applicant with the opportunity to view the Record in an electronic form identified during the electronic search.
4. Kings County may charge the Applicant for its actual time to conduct the electronic search and for photocopying should the Applicant want paper copies, after the search done together is completed.
Key Words: accurate, apology, authorized, contract, delay, double-dipping, electronic, estimate, equitable, fair, fees, inflated, keywords, legal advice, locating, professional obligations, public interest, reasonable, records management, representative sample, search, severing.
Statutes Considered: Part XX of the Municipal Government Act [MGA], s. 462, 463(2)(b), s. 466, 467, 471, 491, 501(2); Freedom of Information and Protection of Privacy Regulations s. 6.
Report Release Date: November 18, 2011
Public Body: Workers’ Compensation Board of Nova Scotia
Summary: After media reported that an injured worker, requested a copy of his claim file from the WCB, and received another worker’s file instead, the Privacy Review Officer exercised her discretion to initiate an investigation on her own motion, as contemplated by s. 5 of the Privacy Review Officer Act.
Findings: The Review Officer made the following findings:
1. Section 27 of the FOIPOP Act does not authorize the WCB to release one injured worker’s personal information to another injured worker. I find the disclosure of the personal information constitutes a breach under the FOIPOP Act. I find that the WCB acknowledges it had no authority to disclose the personal information in the manner that is subject to this Review. While there was no evidence the releases were intentional, malicious, or purposeful, the breaches remain serious.
2. I find that the collection, retention, use and disclosure of personal information makes up a large part of the “industry” of the WCB.
3. I find that the WCB has fallen short under its own Privacy Breach Policy. While the promoting accountability and monitoring compliance provisions of the Policy are mostly adequate, they are not followed. The WCB has failed to follow its own Policy as follows:
a. The designated manager has not reported to the Privacy Breach Advisory Committee as the WCB has failed to constitute the Committee;
b. The designated manager is accountable to promote and implement the Policy but has fallen short to ensure it is fully implemented and followed;
c. Legal Services is required by the Policy to provide statistics on privacy breaches to corporate but this does not appear to have been done.
4. I find that the existing breach level definitions are unclear and therefore unable to lead to any consistency or accuracy, insufficient to cover the types of information the WCB handles, and too focused on the potential impact a breach may have on the WCB.
5. I also find that, even where a breach is discovered that would appear to be at least a moderate breach under the WCB Policy’s rating system, it is often characterized as minor. This may be because the breach ratings are unclear. However, it has the effect of reducing the WCB’s internal responses and responsibilities (i.e. notification).
6. I find there is some evidence that in the Privacy Breach Notifications, the WCB under-reports the full extent of the personal information disclosed and in doing so may be mischaracterizing a breach as minor when it is in fact moderate or major.
7. I find that the WCB has erred in making a distinction in the definition of personal information between business card only and inherently personal. Either information falls within the definition of personal information or it does not. The WCB is not able to divide personal information into classes, one that is entitled to privacy protection and one that is not.
8. Given the mandate and business of the WCB, I find the WCB should make it clear in its Privacy Policy that staff are to view all claim files and their contents as “sensitive information” and treat it accordingly. I also find that the WCB’s policies and practices should reflect that privacy is a private matter and that the impact of the disclosure of personal information should be left for the individual to decide not the WCB.
9. I find that the WCB’s response to the high volume breach was appropriate in most respects. It tried to contain the problem by contacting the injured workers by telephone. The WCB, however, misconstrued how a high volume breach should be defined. If there is a breach of personal information involving a large number of individuals, even if the amount of personal information in each case is small, it is by the WCB Policy’s own definition a major privacy breach. I find that to have divided this large number into individual minor breaches was not appropriate. This approach does not demonstrate accountability or a commitment to the privacy of injured workers on the part of the WCB. I find the WCB ought to have defined it as a major breach. In private sector businesses, such as banks or retail stores, the public would not tolerate this practice of dividing a large volume breach into multiple minor breaches.
10. I find that the WCB needs to address the issue of privacy in a much more systematic manner at all levels of the organization through leadership, staff training, and clear privacy protection practices. The WCB will, as a result undergo a cultural shift to a zero tolerance policy: one privacy breach is one breach too many.
11. I find that the WCB uses inappropriate factors in measuring the level of breach and its response to the breach: who receives the disclosed personal information, what the recipient does with the personal information received, and most importantly, what the impact of the breach is on the WCB.
12. I find that the WCB places an undue emphasis on risk to itself as an organization in making a determination as to the level of the breach. Risk factors such as the risk of liability to the WCB if disclosure of personal information results in identity theft or risk of embarrassment if a privacy breach becomes a matter of media interest will inevitably be considerations for the WCB. I find, however, the WCB needs to change its focus under the Policy to make the privacy interests of the injured workers paramount.
13. I find that the WCB rarely notifies individuals when their privacy may have been breached. Excluding the single incident characterized as 71 unique breaches, notifications have been sent only 13% of the time. This also demonstrates the WCB’s tendency to minimize the impact any particular breach may have on an individual injured worker.
14. I find that the Policy appears to encourage the lack of notification by making it discretionary in all cases, focusing the impact of the breach on the WCB as an institution and allowing for a broad range of disclosures to be categorized as “minor.”
15. I find there to be inconsistencies in how the definitions of the privacy breach levels are applied by the WCB. I also find the documentation provided back to managers lacks substantive helpful advice or guidance particularly where the breach level has been changed. There is no discretion in the Policy to change the classification of a breach without detailed evidence showing facts are wrong.
16. I find the Policy requires a committee that is populated by all the major business areas of the WCB and that this model is ideal for addressing follow-up and prevention of privacy breaches because it is provides for a systemic approach. Unfortunately, I also find that there is no evidence that a Privacy Breach Advisory Committee has ever been established and properly constituted in accordance with the Policy and, therefore, I find that the WCB is in breach of its own Policy by failing to do so. Further, I find that the principal means by which the WCB and its executive can receive assessment and advice regarding privacy breaches within the organization is unfortunately completely missing. The Privacy Breach Advisory Committee should have been properly constituted to do the work as contemplated by the WCB’s Policy.
Recommendations: The Review Officer made the following recommendations:
1) The WCB’s Annual Report speaks of changing leadership cultures to ensure safe work practices. It notes that “Our community needs to embrace a very simple ideal – that one Nova Scotian injured on the job is too many.” This is a laudable goal. The Privacy Review Officer, however, recommends that the WCB take that same view of ensuring best privacy practices at the WCB: best privacy policies and practices will only come with an effort to make privacy a top priority and when the WCB accepts that one privacy breach is too many.
2) The WCB is highly cognizant of the self-worth component of working: i.e. dignity, autonomy, making meaningful contribution (as an example, see the “Rod Stickman” videos at www.worksafeforlife.ca). The WCB’s emphasis on the importance of these values is commendable. Privacy, however, is as important in achieving these values, and in helping workers back to work, or assisting those who can never go back, the WCB needs to be cognizant of the self-value of privacy. Workers have to give up their personal privacy – i.e. a fundamental part of themselves, their dignity and their ability to be autonomous – to the WCB in the course of pursuing a claim and return to work. The Privacy Review Officer, however, recommends that the WCB needs to put privacy on a higher plane and recognize that it is the guardian of sensitive personal and personal health information.
3) I strongly recommend that the Privacy Breach Advisory Committee as described in the Privacy Breach Policy be constituted, and that it should meet on at least a quarterly basis to examine all Privacy Breach Reports. The Committee should proceed with its policy-dictated function of producing a quarterly report to “document the learnings” from any breaches and should be available to meet when more urgent breaches arise. The Committee could also be responsible for contributing to and monitoring the effectiveness of any revised breach definitions in the Policy coming out of this Privacy Review.
4) I recommend that the Privacy Breach Advisory Committee become an internal promoter of best privacy practices. The Committee could do so through its quarterly reports that could be circulated through an employee newsletter.
5) I recommend the Privacy Policy remove any reference to discretion in determining the level of breach. The determination of the breach level must be a finding of fact and needs to be investigated as such.
6) I recommend the breach classifications need to be re-written for greater clarity, and the classifications need to be based on (in priority order): (1) the kind of personal information; (2) the volume of personal information; (3) to whom the personal information was improperly disclosed and the extent of the breach; (4) the potential harm to the affected individual(s) as a result of the breach. An example follows:
§ To be categorized as minor, you must be able to answer yes to all of the following questions:
o Was the information disclosed limited to the injured worker’s name, address, phone number and employer’s name?
o Was the release of the personal information contained to only a small number of injured workers (3 or fewer)?
o Has the personal information been recovered?
o Is the cause of the privacy breach known, and has it been contained?
§ A minor breach must also include a no to the following questions:
o Did the information contain details of the worker’s injury and/or his/her requirements for a successful return to work?
o Did the information contain the injured worker’s Social Insurance Number [SIN], Health Care Number, WCB claim number and/or date of birth?
o Has the same type of breach occurred within the same unit at the WCB within the last three months?
o Is there enough identifying personal information in the disclosure to re-create the individual’s detailed contact information that could be used for identity theft?
§ If you answer yes to any of the following questions, the breach would be considered at least moderate:
o Did the disclosed information contain the injured worker’s date of birth or SIN?
o Did the disclosed information contain high-level details of a worker’s injury or return to work needs and was it sent to someone other than the worker’s employer?
o Was more than one individual’s information disclosed at once?
o Did more than three but fewer than 10 individuals receive the information?
o Is the cause of the breach unknown, and therefore the breach has not been contained?
o Does the information disclosed meet the standards of a major breach, but it has been disclosed to a WCB third party service provider, who is also bound by WCB’s Privacy Policy? How has the WCB satisfied itself that the WCB third party service provider complies with the WCB’s Privacy Policy?
o Has the same type of privacy breach occurred within the last three months?
§ If you answer yes to any of the following questions, the breach would be considered major:
o Does the disclosed information contain the detailed health care history or doctor’s charts of an injured worker, including such disclosure to the worker’s employer?
o Does the disclosed information relate to, or was it sent to 10 or more individuals?
o Is the breach the result of an external attack? This relates more to information technology and security than it relates strictly to privacy, but the problem with the existing Privacy Breach Policy is that it appears to be more a security-based policy than privacy-based. The difference being that security relates to how the WCB manages the information, whereas privacy relates to the individual injured workers.
7) I recommend that the WCB apply its own definition of privacy breach consistently and to proactively ensure notification to injured workers and containment of the breach.
8) I recommend the WCB look for ways to scale back the amount of personal information that it discloses during its day-to-day operations. The WCB’s objective to get the injured worker back to work safely and healthy is very important. To do this, it seems employers would need a fairly limited amount of information: what did the employee injure, how did s/he injure it and what medically approved steps need to be taken to ensure a healthy and successful return to work? Limiting the disclosure to what is specifically needed for that purpose is consistent with the FOIPOP Act, and it will help to mitigate against a potentially larger breach if the information is sent to an incorrect location. In part it will do so by requiring the individual WCB employee responding to the request for disclosure to turn his or her attention to the file, what needs to be included in the disclosure, to whom it is being sent and how.
9) Where it is determined that employee performance plans should include a goal for maintaining privacy, the focus should be on ensuring that the privacy and dignity of injured workers is protected not on disciplining employees or protecting the WCB. I recommend including a commitment to protection of privacy as part of all employee performance plans and note that the emphasis should not be on privacy breaches, which comes across as punitive. The goal could, however, be measured by ensuring that the worker who breached the personal information made a vigorous effort to recover and contain the breach, and made every effort to notify the individual whose privacy may have been breached within a reasonable timeframe thus demonstrating a commitment to the importance of protecting privacy.
10) I recommend that notification of the individual whose privacy may have been breached should be done in all cases, regardless of the level of the breach. To reconfigure the attention the WCB pays to privacy requires that each and every example of the disclosure of personal information is addressed with the affected individual.
11) I recommend that individuals be notified when their privacy may have been breached. One of the WCB’s core values is to be “Caring and Compassionate,” which it explains in its Annual Report as “striv[ing] to walk a mile in workers’ and employers’ shoes. We will serve as we like to be served and provide those we serve with the respect and support they need to be successful.” It would seem that part of this would be not to allow employees to make assumptions about whether or not a privacy breach would be a concern for a particular injured worker.
12) When notifying individuals of a privacy breach, I recommend that the WCB make clear that workers have the right to file a privacy complaint with the WCB, that will be separate and distinct from their WCB claim file; and that if the worker is unsatisfied with the WCB’s response, s/he has the right to file a Request for Review with the Review Officer. The WCB should create and demonstrate a protective screen to ease injured workers’ concerns in this regard.
13) The WCB has not produced a privacy complaint policy to date. I recommend that the WCB develop a privacy complaint policy that is publicly available, on its website and includes how complaints will be processed to guard against retribution.
14) The public body sending information bears the responsibility to ensure that the personal information it is sending is accurate. I recommend that the WCB should, therefore, modify the 8/10 form, on which doctors report on injured workers’ visits, to ensure that form is updated every time the injured worker sees the doctor (for instance, perhaps by adding a check box on the form that confirms the doctor has verified the patient’s employer), and/or the WCB should confirm with the worker that it has the correct employer before sending information off to what the WCB believes is the correct employer.
15) I recommend that the WCB ensure that it recovers all personal information it has inadvertently disclosed and it should not be attempting to pass on any costs of doing so. It is not sufficient to rely on the incorrect recipient injured worker or health care provider to destroy the information received. I further recommend that the WCB bear all costs associated with having the personal information returned to or retrieved by its offices.
16) The WCB appears to be moving away from identifying individuals solely by their WCB claim number, and I recommend this practice continue. Relying on multiple identifiers will assist the WCB to guard against misdirecting personal information to the wrong person.
17) If practical, I recommend that an injured worker’s CW should act as a second pair of eyes on a file containing personal information before it is mailed out.
18) I recommend that the WCB make its Privacy Policy readily accessible on its website and make it patently clear on its website that all approved service providers will be bound by the WCB Privacy Policy.
19) I recommend that the WCB incorporate the FOIPOP Act’s definition of personal information directly into the Privacy Breach Policy (and not just referentially incorporate it), and make note, as a best practice, that the WCB also collects and uses the sensitive personal health information of injured workers.
20) Organizations do not have privacy rights and thus I recommend that the Policy should not include the risk of harm to an organization as part of the metric for determining the severity of the breach.
21) I recommend that the WCB amend its Policy to require notification of the injured worker whenever a privacy breach occurs, and regardless of the classification of the breach level.
Response to Recommendations: The WCB has committed to implementing seven of the recommendations immediately, while the remaining 14 will require a reasonable period to fully adopt. The Review Office intends to revisit the WCB’s implementation progress within the next year.
Report Release Date: July 27, 2011
Public Body: Halifax Regional Police
Issue: Whether the Halifax Regional Police [“HRP”] is in
contravention of the Part XX of the Municipal Government Act [“MGA”] and
in particular:
1. By refusing to provide the Review Officer with the Record as required
by s. 491 of the MGA.
2. By basing its refusal to provide the Record to the Review Officer on
a decision under s. 463(2)(f) of the MGA when in fact there is only an
ongoing investigation and no prosecution.
3. By failing to provide the Review Officer with any evidence to support
its claim that the Record relates to an ongoing prosecution.
Record at Issue: No Record has been provided to the Review Officer by
the HRP.
Summary: The Applicant made an Application for Access to a Record
in March 2011. The HRP made a decision under the MGA exercising its
discretion to refuse the Record representing that disclosure could
reasonably be expected to harm the effectiveness of investigative
techniques or procedures currently used in law enforcement. The
Applicant made a Request for a Review. For the three months following
the Request, the HRP delayed in providing a copy of the responsive
Record to the Review Officer despite representations it intended to do
so and despite repeated requests from the Review Office to do so. In
July 2011 the HRP notified the Applicant of a new decision that the
Record was excluded under the MGA because the requested Record is based
on investigations and prosecutions and the matters are still proceeding
and therefore the Record was not subject to disclosure to the Applicant
or subject to the Review process. This Report deals solely with the
issue of the statutory obligation on the HRP to provide a copy of the
responsive Record to the Review Officer.
Findings: The Review Officer made the following findings with
respect to the issue of the HRP’s failure to provide the Review Officer
with the Record:
1. I find that the HRP made a decision to the Applicant to withhold the
Record relying on an exemption under s. 475(1)(c) of the MGA. By making
a decision relying on an exemption and by advising the Applicant of
his/her right to Request a Review of that decision to me as the Review
Officer, the HRP attorned to my jurisdiction under the MGA.
2. When the Applicant filed a Request for Review of the HRP’s decision,
I find that I was under a statutory duty to conduct a Review and had no
authority under the legislation to refuse.
3. I find that the HRP has failed to provide a copy of the responsive
Record despite its representations it would do so and the Review
Office’s repeated requests for it to be provided.
4. I find that the HRP has not provided the Review Office with one
scintilla of evidence of any pending or actual prosecution or any
evidence that the Record relates to an ongoing prosecution, which is the
statutory test for a Record to be excluded.
5. I find that s. 475 of the MGA provides the HRP ample opportunity to
claim these discretionary law enforcement exemptions.
6. I find the HRP is attempting to use an ongoing investigation that may
or may not result in a prosecution as a means of avoiding producing the
responsive Record to the independent oversight Review Officer. By
incorporating the language of investigations into its latest decision to
the Applicant “the requested records are based on investigations and
prosecution” the HRP cannot transform what is an investigation into
something in respect of a prosecution in order to fall under s.
463(2)(f). To convert the exclusion provision with respect to
prosecutions into something that can be used for an investigation would
render the law enforcement exemptions under the MGA meaningless.
7. I find that it would be an absurd result if a public body was
permitted to proceed in the manner in which the HRP has in this case:
make a decision and claim an exemption under the MGA; advise the
Applicant of his/her Right to Request a Review; indicate to the Review
Office the Record was forthcoming and then do a complete about-face;
change its decision and claim the Record is excluded.
8. I find that a public body’s claim that a Record is excluded does not
automatically exclude the statutory jurisdiction of the Review Officer
as the oversight body. In an instance, such as this, a public body’s
claim cannot be accepted at face value. Because the HRP has made
misrepresentations to the Review Office and dramatically altered its
decisions to the Applicant, the Review Officer is required to ensure the
exclusion applies, in fact and in law.
9. I find the HRP is using an ongoing investigation that may or may not
result in a prosecution as a means of avoiding producing the responsive
Record to the independent oversight Review Officer.
10. I find the HRP’s lack of cooperation and apparent lack of faith in
how the Review Office would deal with a potentially highly sensitive
Record, given our reputation for confidentiality, very disturbing.
11. I find that by making a decision under one of the law enforcement
exemptions under the MGA and subsequently trying to excuse itself from
producing the Record to the Review Officer because it claimed it no
longer had custody of the Record and then making a new decision that the
Record is excluded, the HRP has subjugated the whole purpose of the
oversight provisions.
12. I find that it would be unconscionable to let the HRP’s decision
stand that characterizes an investigation Record as a Record related to
a prosecution when there is not one scintilla of evidence of a
prosecution.
Recommendations: The Review Officer made the following
Recommendations:
1. The HRP provide the Review Office with a copy of the complete and
accurate Record; and
2. The HRP provide the Review Office with evidence that there is an
ongoing prosecution and evidence as to how the Record relates to a
prosecution.
Key Words: abridged, attorned, absurd result, excluded,
exclusion, exemption, investigation, jurisdiction, purpose, prosecution,
Record, refusal, scintilla, unconscionable.
Statutes Considered: Part XX of the Municipal Government Act, s.
462(a)(v), 463(2)(f), 475(1)(a), 475(1)(c), 476, 491, 501(2); Freedom of
Information and Protection of Privacy Act s. 4(2) and Regulations s. 22.
Case Authorities Cited: NS Review Reports FI-05-47; O’Connor v. Nova
Scotia (2001) NSCA 132; AG(ON) v. Toronto Star 2010 ONSC 991; Alberta
Order 99-03; ON Order MO-2381; Alberta Order F2010-023.
Other Cited: NS FOIPOP Procedures Manual (2005).
FI-10-41/FI-10-85/FI-10-86/FI-10-87
Report Release Date: June 1, 2011
Public Body: Transportation and Infrastructure Renewal
Primary Issues: Whether the Department of Transportation and
Infrastructure Renewal [“Transportation”] appropriately applied the
Freedom of Information and Protection of Privacy Act [“Act”] and, in
particular:
1. Whether the public interest provision overrides all of the other
exemption(s) claimed by Transportation.
2. Whether Transportation has caused inordinate delay. Whether the
adequacy of the search for the Record has contributed to the delay.
Whether Transportation’s failure to meet its statutory duty to assist
has contributed to the delay.
3. Whether “not responsive” can be used as an exemption.
Secondary Issues: The following are issues that arose during the
Review process but which the Review Officer did not need to make
Findings and Recommendations in order to dispose of the Review:
1. If the information that withheld under s. 12 of the Act were to be
disclosed, whether the conduct of intergovernmental relations between
the Government of Nova Scotia and a municipal unit would be harmed.
2. Whether the information withheld under s. 14 of the Act fits the
definition of advice or recommendations.
3. If the information withheld under s. 17 of the Act were to be
disclosed, whether the government would suffer financial or economic
harm.
4. Whether the information withheld under s. 20 of the Act fits the
definition of personal information. Whether the disclosure would be an
unreasonable invasion of privacy. Whether s. 20(4) of the Act applies.
5. Whether the three-part test applies to the information withheld under
s. 21 of the Act.
6. Where it has been determined that a discretionary exemption applies,
whether Transportation has properly exercised its discretion to apply
it.
Record at Issue: Pursuant to s. 38 of the Act, Transportation has
provided the Freedom of Information and Protection of Privacy [“FOIPOP”]
Review Office with a copy of the complete Record, including the
information withheld from the Applicant. At no time are the contents of
the Record disclosed or the Record itself released to the Applicant by
the FOIPOP Review Officer or her delegated staff.
The Record consists of a number of document types including letters,
emails, meeting minutes, handwritten notes and memorandums. The
Applicant has chosen to focus on “key documents”.
Summary: An Applicant made multiple Applications for Access to a
Record on behalf of a Residents’ Group referred to as Protect the Bay.
The multiple Requests for Review of the Transportation’s decisions to
withhold a significant portion of the Records were consolidated into one
Review, as the Applications for Access to a Record were the same but for
various consecutive time periods. Transportation withheld a large
portion of the Record relying on many exemptions and a “not responsive”
designation. The Review Officer found that the public interest override
was paramount and that it should be applied in this case to release the
remainder of the Record except for third party personal information.
Findings: The Review Officer made the following Findings:
1. I agree with Transportation’s decision to waive the fees based on
public interest.
2. I find that the public interest in s. 31 of the Act is paramount and
applies to the entire Record except for personal information of third
parties.
3. I find that Transportation caused inordinate delay in this Review.
4. I find that the back and forth trying to pin down the exact
parameters and content of the Record contributed to the delay.
5. I find that Transportation essentially ignored my decision to
expedite the Review and caused delay by choosing to exceed the time
allotments given to public bodies.
6. I find the resulting delays were unnecessary and inappropriate.
7. I find that “not responsive” cannot be used as if it were an
exemption to withhold information that does not fit within any of the
exemptions simply because the public body does not want to release it.
8. I find there are strings of emails identified as “not responsive” but
clearly do not fit this description.
9. I find that Transportation’s use of “not responsive” is wholly
inappropriate and not permitted under the Nova Scotia legislation.
Citizens have a right to access a Record.
10. I find that “not responsive” has been used by Transportation to
shelter access to parts of the Record that are in fact responsive and do
not fall under any exemption claimed.
Recommendations: The Review Officer made the following
Recommendations to Transportation:
1. Disclose the remainder of the Record, the portion previously withheld
under a number of exemptions, with only third party personal information
severed, because disclosure is clearly in the public interest. This
would include any portion that relates to other projects as it has been
identified as part of the responsive Record by Transportation.
2. In future Reviews, Transportation should make every effort to comply
with any term or condition imposed by the Review Officer including the
condition to expedite a Review.
Key Words: accurate, burden, complete, confidential, consent,
delay, discombobulating, discretion, duty to assist, environment,
expedited, fees, financial harm, limited and specific, justice delayed,
justice denied, onus, open, nonsensical, not responsive, open-house,
override, paramount, personal information, public interest, public
meeting, third parties, waiver.
Statutes Considered: Freedom of Information and Protection of
Privacy Act, ss. 2, 5(2), 7, 31, 38.
Case Authorities Cited: NS Review Reports FI-02-20, FI-08-107,
FI-00-29, FI-07-58, FI-07-60, FI-07-72, FI-06-71(M), FI-07-59,
FI-10-49/FI-10-51, Grant v. Torstar Corp., 2009 SCC 61, Ontario (Public
Safety and Security) v. Criminal Lawyers’ Association, 2010 SCC 23