Canada's Information Laws

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Office of the Privacy Commissioner of Canada

Bangkok, Thailand
May 6, 1998

Gerald Neary
Director, Investigation & Inquiries
(Check Against Delivery)


Good morning!

I have been asked to explain Canada's information laws; a bit of their history, the procedures, what parts the various organizations play, how it works,and how well. We do not pretend that this approach is perfect, or necessarily the best in the world. Indeed there are many vocal and thoughtful critics of the laws in Canada, and some of their criticism is indeed valid.

I hope to leave you with enough information for you to draw your own conclusions and perhaps learn from our mistakes. (Quote)

At the end of my talk, I would like to have some time to hear your comments and to try to answer your questions. I do not intend to fill all your time listening to me.

I work for the federal, or national, Privacy Commissioner's office and so much of what I tell you today will be about the federal model of information law. I will try to point out where provincial government law differs as I go along. As any student of Canadian politics will tell you, there are interesting differences between the two levels of government which show up even in information laws.

The first notable difference, and the logical place to begin, is with the federal decision to have two acts. One, the Access to Information Act, establishes legal rights of access for anyone legally present in Canada to general government records. These records could include everything from government studies on pollution in the Great Lakes or chemical additives to tobacco, to which company won a government contract, and the terms of the contract.

The other act is the Privacy Act. It is a separate law which allows anyone legally present in Canada not only to have access to their own personal information in federal government records but also to maintain some control over how the government collects, uses and discloses their personal information.

The purpose of both laws is to make Canadian government open and accountable to the people it serves. An informed and engaged public is fundamental to a healthy democracy. Sharing information means sharing the power. The more and more complex the functions of government, the greater the pressure from academics, researchers, public advocacy groups and journalists to know analyze and understand the issues, and to hold government to account for the decisions it makes on the public's behalf.

Canada was not at the head of the list of countries passing information laws, not by a long shot. The winner by many kilometres was Sweden which passed a freedom of the press law in 1766. The next round saw Finland, Norway, Denmark, France and the United States pass freedom of information laws, but not until the middle part of the twentieth century.

The greatest influence for Canada was, of course, the United States. As we say, if you sleep next to an elephant, it's hard not to notice when he rolls over. Hard on the heels of Congress passing the US Freedom of Information Act in 1966, Canadian advocates began pressing government for similar Canadian law. Several bills were introduced by individual members of Parliament, but without government backing, failed to pass. It took another 17 years, and the continued pressure by a dedicated group of advocates, for the Access to Information Act to take effect in 1983.

One important distinction between the American and Canadian government is our Parliamentary system which makes Parliament sovereign, and Ministers of the Crown responsible for the actions of their departments. Cabinet Ministers, unlike the American model, are members of Parliament and sit on the floor of the House of Commons. There they must answer daily to opposition members,and ultimately to the public,for their programs. Critics of the law worried that it might weaken this system of Ministerial responsibility and their collective decision-making process.

Other countries with Parliamentary systems clearly shared these concerns. Countries such as Australia, New Zealand and Great Britain have also been slower adopting freedom of information laws. The new British government has issued a consultation paper and is hoping to have its law in place by the millenium.

So how does Canadian law work?

The law applies to all records held by federal government departments, boards and commissions, but not to so-called Crown corporations that are in competition with the private sector. Nor does it apply to Parliament itself, nor to the Courts, the Commissioners' offices, and not to private business. The Act also excludes Cabinet documents and material already published or available in libraries and museums.

Records are broadly defined and include those in machine readable form. Interestingly, they also include a record which may not exist at present but which the department can produce employing the computer hardware, software and technical expertise it normally uses.

As you may have guessed, the law's right of access is tempered by several specific exemptions which fall into two categories; those that are mandatory and those that are discretionary. Government is prohibited from disclosing information supplied in confidence by other governments, either in Canada or abroad. Officials also must not disclose information gathered by the Royal Canadian Mounted Police (our national police force) while acting as a provincial police force. Nor may it release trade secrets of businesses, or personal information. (I will come back to personal information later when I explain the Privacy Act.) These are all mandatory exemptions.

Government officials have some latitude with the discretionary exemptions. They may withhold information if they believe that disclosure could:

  • endanger the safety of an individual;
  • injure relations with other governments;
  • prejudice federal-provincial relations;
  • reveal information about how it detects and prevents crime, subversion and espionage, and
  • reveal defence secrets, government financial information, confidential third-party information, its testing and auditing procedures, information protected by solicitor-client privilege and internal working documents.

How do individuals get access to the information they seek?

The person must first apply in writing to the government department or agency that holds the record, and pay the $5 fee. That could be much more difficult than it sounds,how do you know who has the information? The law anticipated that problem and requires government to assemble and publish every year a description of its information holdings. This directory, called Info Source, also lists the addresses of the responsible person in each agency to which the applications should be sent.

The government department has 30 days to respond to the request and may extend the period if there are a lot of records and responding within the 30 days would interfere with the department's operations.

If the department refuses to disclose a record, it must specify on what grounds the information is exempt from access.

When a department proposes releasing information about a third party, for example, a business,it must advise the third party and give it 20 days to make any objections to releasing the information. Should the departments decide to proceed with releasing the information, it must advise the third party once again and give it a further 20 to apply to the Federal Court to prevent disclosure.

Departments may charge fees for photocopies, time spent searching for paper records in excess of five hours, and time spent searching machine readable, that is, electronic records. Applicants must be given an estimate of costs in advance, and may be asked to pay a deposit.

The act also requires that the records be provided in the official language of the applicant's choice (either English or French). It also obliges departments to convert the records to an alternative format if the applicant has a sensory disability. This means providing, for example, tape recordings or Braille documents for those who are either blind or whose sight is seriously impaired. Departments are allowed extra time to translate or convert any records.

The right to privacy

I now want to turn to the Privacy Act which, I emphasize, is a separate law. This may puzzle you, I will explain. The decision to write a separate law is the result of both legal and historical considerations.

I will begin with the ethics and the value that the law defends. I would like to read to you the words of Privacy Commissioner Bruce Phillips in his recent appearance before a Parliementary Committee. They summarize his thinking about privacy in our society.

'Privacy is often so taken for granted in a democracy, so self-evident that it has almost ceased to be evident. Privacy is the value at the foundation of the secret ballot, doctor-patient confidentiality, solicitor-client privilege, wiretapping law, the concept that our homes are our castles, and our society's fierce defence of the autonomy of the individual.

In the words of one of our Supreme Court Justices, Mr. La Forest, privacy is "at the heart of liberty in the modern state." Respecting one another's privacy means the difference between a life of liberty, autonomy and dignity, and a hollow and intimidating existence under a cloud of constant oppressive surveillance.

Thus privacy is not an individual right enjoyed at the expense of society as a whole. It is part of the glue of mutual respect which helps hold a free society together. Whether to reveal or conceal the details of our lives are decisions for the individual to make, not the state,except in the most limited and exceptional circumstances.'

Canadians hold their privacy dear. As early as the 1960s, they began questioning the relationship between information, privacy and political power. They began to worry that our increasing use of computers could lead to loss of individuality or enforce conformity.

As the concerns grew, two government departments, Communications and Justice,struck a joint task force in 1971 to examine the issues. Their study led to their watershed report, Privacy and Computers. The task force's recommendations contributed to privacy rights being embedded in law in 1978 as part of the Canadian Human Rights Act.

The current Privacy Act built on and strengthened those rights. It also reflected privacy guidelines adopted in 1980 by the Organization for Economic Cooperation and Development (OECD) of which Canada is a member.

Those guidelienes were drafted specifically to protect personal information that was beginning to be transferred electronically across international borders. Several European countries particularly were concerned because they have strong privacy laws which also cover business. They worried that transferring personal information out of the country would mean the information would lose any protection of their laws. The European Union now has a comprehensive Directive on protecting personal information which will take effect in October of this year. The Directive establishes a common privacy standard within the Union. It will also allow European privacy commissioners to block transfers of personal information outside the Union if the receiving country does not have adequate privacy laws in place.

Privacy is also specifically protected in the Universal Declaration of Human Rights:

"No-one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right of the protection of the law against such interference or attacks."

As well, there is similar language in the International Covenant on Civil and Political Rights.

The Privacy Act

Unlike the Access to Information Act, the Privacy Act has two essential functions. The first, like the Access Act, is to provide individuals with the right to examine information about themselves kept in government records.

But the second function of the act is more vital to protecting individuals' privacy. The law also controls what information the government collects about people, how it uses the information and how it discloses the information. The law also obliges government to ensure that the information is as accurate, up to date and complete as possible. And, once personal information has served its purpose and need not be archived, it must be properly destroyed. We refer to this as the fair information code.

I will begin with the access rights and give you some examples. A government manager could ask to see information the government gathered to investigate allegations that the manager had harassed an employee. Any government employee could ask to see the records officials assembled during a dispute with the employee.

Someone who applied for, and was denied a disability benefit could ask to see the records which led to refusing the pension.

There are exceptions to the right to see the information and some of the exemptions are similar to the Access Act. The government may deny access to:

  • information received in confidence from other governments;
  • information which could injure Canada's defence or the conduct of its affairs;
  • information collected by an investigative body during the investigation of a crime;
  • information which threten an individual's safety;
  • information protected by solicitor-client privilege;
  • information about the individual's health if disclosure would be contrary to his or her best interests;
  • information gathered to conduct an individual's security clearance, and
  • information about another person.

Citizens also have the right to ask to correct information and the right to annotate disputed information if the department refuses to correct it.

Those, broadly speaking, are the access rights. The fair information code establishes that government departments cannot without the person's consent, use information for a purpose other than the one for which it was collected, or a use consistent with that original purpose. Nor may government disclose the information without consent. There are exceptions to this disclosure rule. For example, information can be released:

  • to comply with another act of Parliament;
  • to comply with a warrant or subpoena;
  • to the Attorney general of Canada to use in a legal proceeding;
  • to an investigative body when enforcing a law;
  • to another government in order to enforce a law when there is an arrangement between the governments;
  • to a Member of Parliament whom the person has asked for help;
  • to carry out an official audit;
  • to transfer to the National Archives;
  • for bona fide statistical and research purposes;
  • to benefit the individual, and
  • to further the public interest.

Anyone seeking access to their personal records can locate them using the same government directory used under the Access Act. The information is organized into Personal Information Banks at the conclusion of each department's listings. The directory not only describes the records,it also describes why the information is collected, how it is used, to whom it is disclosed and how long it is kept. A similar but separate directory describes records held about employees. Applicants for personal information pay no fees either at the front end, or for search time or copying.

Responsibilities for both acts are divided among several players. These are the Treasury Board, the Department of Justice, the individual government departmnents, the Information and Privacy Commissioners, and finally the Federal Court. I will explain each in turn.

The Treasury Board is the federal government's management board and is the employer for the public service. The Board develops policy for government administration of the Access and Privacy Acts. It requires the departments to report annually on their administration of the two laws. And it compiles and publishes the Info Source directory which helps citizens find the information they are seeking, as well as the application forms and explanatory brochures.

The Department of Justice develops legal policy for the laws, and its lawyers in each department provide legal advice and interpretation to staff responding to requests or handling personal information. Justice would also draft any needed amendments to the laws.

The head of each individual government department is responsible for managing its information holdings according to the laws. In practice, the head usually delegates this responsibility to an official who,at least in large departments, has a unit of staff. These staff respond to access requests and advise departmental staff on program design and delivery,particularly when it concerns personal infomation. They also must deal with any complaints.

The Information and Privacy Commissioners are independent Officers of Parliament who are appointed by the House of Commons and the Senate. They serve for a seven-year term and cannot be removed except by a vote of both houses of Parliament. Their unusual status (there are only five such positions in Canada) helps ensure their independence of the the party in power which might have its own reasons not to have information released.

Both Commissioners investigate complaints from individuals who think their requests have not been properly handled. For example, individuals may complain that information has been withheld, or that the search and reproduction fees under the Access Act are too high, or the department is taking too long to provide the information.

In addition, the Privacy Commissioner may investigate complaints that the government has collected too much personal information or has used or disclosed the information improperly. The Privacy Commissioner may also conduct routine audits of a department's information management. The Privacy Commissioner must also be notified if a department proposes to disclose personal information to third parties in the public interest. As well, departments must submit data matching proposals to the Privacy Commissioner for his comment and assessment.

Both Commissioners may initiate their own complaints.

The Commissioners are ombudsmen whose responsibility is to resolve disputes between applicants and the government and to ensure administrative fairness. As ombudsmen, they cannot issue orders. However, faced with what they consider an improper refusal to provide access to information, they make take the complaint to the Federal Court.

The Commissioners have strong investigative powers,they may examine all files, including security service and police records, but not Cabinet confidences. They may even subpoena records and compel witnesses' testimony, although this has never been necessary for the Privacy Commissioner.

The Federal Court may be asked to review the government's denial of access, but not until after the appropriate Commissioner has investigated. If complainants are still dissatisfied after the Commissioner's investigation, they may ask for a Court review. However, the Court review is de novo, that is, from the beginning of the process. It examines the government's action, not the Commissioner's investigation or his recommendations.

Preparing for the coming of the legislation demanded considerable work on the government's part. The Treasury Board had to develop and publish procedures and guidelines to help individual departments organize. It also had to develop an appropriate fee structure for the Access Act.

Individual departments had to review their information holdings, adopt their records management operations to the laws and separate out information which could be made routinely available and what might be exemptable. Departments had to describe their information holdings to the Treasury Board for inclusion in the directory. They had to establish reading rooms across the country where the public information is on display. Responsible officials had to be designated and departmental access and privacy units organized and equipped. Last, but not least, departments had to educate their employees about their responsibilities to the public. Employee education was spotty and I have to say that fifteen years later, the education task continues, with mixed success.

There seems to be little consensus on where the responsibilities for the laws should lie within the departments. Some designated their legal advisors, others gave it to their human resopurces or personnel branches, yet others to their records management or public affairs (communications) branch.

But there is a reason for the different approaches. To some extent, the choice was influenced by the size of the organization and the type of records it holds. A small agency which receives few or no requests (and there are some) might choose the executive director, or senior public servant, because the obligation is important and the workload unlikely to interfere with his or her other responsibilities.

Other departments, which receive thousands of requests a year, and there are some of those too, would obviously not saddle a senior manager with the daily workload. However, the manager retains the overall responsibility.

As I said, the work of the department and the type of records it holds also plays a part. Departments like Public Works and Government Services receive mostly Access to Information requests, frequently about awarding government contracts. In contrast, most applications to the Department of National Defence are from serving members seeking access to personal files. At the Department of Human Resources which administers the social benefit programs, many applicants want to look at their own benefit files. Each department assigns the task to different points in the organization.

Another step in implementing the laws was, of course, appointing the Commissioners and organizing and staffing their offices.

Well, the obvious question is how are the acts working. The reviews are mixed and it can vary from one Act, and one critic, to the other.

Both Commissioners have said that the fundamentals are sound. Not surprisingly, both have specific suggestions for improvement.

Speaking to a panel of senior officials, the Privacy Commissioner focussed on a handful of concerns.

The first is the need to clarify how we define personal information to bring it up to speed with new technology. For example, he recommended defining biological samples, tissue, blood, semen, as personal information for the purposes of the Act.

He recommended a clearer definition of what personal information about public servants could be released to the public to enhance government accountability. The current wording is imprecise and has led to disagreements over access to overtime log-in sheets, performance appraisals and parking passes. A clear definition would have avoided disputes and at least one costly Court case.

He also advocated tightening some of the exempting provisions. He finds particularly offensive the notion that departments can withhold information from applicants simply because the law allows it, even though disclosure would cause no demonstrable harm. All exemptions should be subject to an injury test.

And given the fundamental importance of the fair information code, the Commissioner would like to see expanded rights for individuals to appeal to the Courts about government collection, use and disclosure of personal data. This could include injunctive rights, or a privacy tort allowing individuals to sue for damages.

Also needed is a much tighter concept of the notion of control of personal records. This would prevent government institutions from circumventing the act by contracting out investigations and surveys, or distancing themselves from personal records like panel members notes.

Both Commissioners recommend circumscribing the exemption for Cabinet documents and want to be allowed to examine the documents to ensure that the claim is legitimate.

Of course, government administration of the acts could improve. A common criticism of government's response to requests for access is unreasonable delays. The Information Commissioner says that two thirds of his complaints cite delays well in excess of 30 days allowed to provide the information. Some files are months behind. Time limit complaints make up about 40 per cent of the Privacy Commissioner's complaint load.

The cause of the delays can frequently be ascribed to government cutbacks and the volume of requests. Some units are labouring under huge workloads and have lost staff during recent government downsizing. The result is employee burnout and public frustration. Although one can sympathize with departments seeking ways to save money, targetting access and privacy units is wrong. Information rights have become a core legal obligation of government to its citizens. Hamstringing these operations breeds public suspicion and cynicism.

Occasionally, the delay can result from a department seeking creative ways to keep information from the applicant. This seldom works. It simply delays the inevitable, particularly if the person complains to the Commissioner. Once the time limit has expired, both acts deem the delay to be a denial of access and so make it possible for the applicant to go to Court. As our first Information Commissioner put it, 'Embarrassment is not an exemption under the Access to Information Act.'

This apparent reluctance by some departments illustrates what the Information Commissioner suggests is lack of will in some departments to embrace the law and make it work. There is no doubt that these laws require a sea-change in attitude on the part of public managers. But that is the price and the obligation of a democratic state.

A frequent criticism of the Access Act is the fees charged to applicants. Some quotes for records have amounted to many thousands of dollars. Critics argue that fees can be a constructive denial of access. In fairness, some of the requests are so extensive, and the applicants are major corporations and media outlets which are well able to pay the bills. There is no justification for the considerable expense being billed to the public purse. Frequent applicants need to learn to do more research at the front end and focus their requests on the essential records. Fees are not an issue under the Privacy Act.

Another criticism surrounds frequent users of the Acts. Some applicants file literally hundreds of requests and consume substantial resources in both the departments and the Commissioners' offices. The law does not provide for refusing trivial or vexatious requests.

The Information Commissioner suggests amending the Access to Information Act to allow such a refusal but make it subject to the Commissioner's review. The Privacy Commissioner, dealing as he does with individuals seeking access to their own information, does not support a similar amendment to the Privacy Act.

Date modified: