Information and Privacy Law: A Canadian Perspective

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Office of the Privacy Commissioner of Canada to the Government House

Bangkok, Thailand
December 14, 1998

Mr. Gerald J. Neary
Director, Investigations & Inquiries
(Check Against Delivery)


Ladies and Gentlemen,

May I say what a pleasure it is to return to Thailand and how honoured I am to be part of marking your first anniversary of the Information Access Law.

Before I begin, I would like to say something I say at every speech I give when I am in Canada and that is this:

Information is knowledge, and knowledge is power. The information my government holds is the information of the citizens of Canada. We allow our government to hold this information in trust for us. The purpose of our information laws is to ensure that the trust is upheld. The purpose of these laws is to make our government open and accountable to the people it serves. An engaged and informed public is fundamental to a healthy democracy. Sharing information means sharing power, and that is the purpose of our information law.

Anniversaries are a natural time for celebration, reflection, and occasional soul-searching. They evoke nostalgia, sometimes regrets, and almost always hope. We have just marked the 15th birthday of the Canadian laws on information access and experienced most of those emotions.

We felt some nostalgia for the excitement of those early days, like the ones you are now experiencing, when every day seemed to bring something new. When almost everything seemed possible. I urge you to remember to savour it even while while you are working so hard.

We all have some regrets, perhaps for the jobs we could have done better, the opportunities missed, or the people we couldn't help.

And we certainly have hopes. Personally I hope to see our case backlog cut in half. And I hope my boss gives me more money and more staff! Among the more realistic hopes though, are those for a new privacy law. A bill, just introduced into our Parliament, will expand Canadians' privacy rights into the private sector. Unlike European laws, our current Privacy Act deals only with the federal government. As we speak, a committee of Parliament is examining the new bill which the government hopes will become law next year.

I looked back over the 15 years considering, if I could only tell you one thing that struck me about what I do, what would it be?

I concluded that, despite the higher visibility of access to (or freedom of) information, despite its appeal to journalists, and despite its ability to help hold government accountable, access to government records is still an administraive right. Administrative rights are important, of course. But, over the past 15 years it is protecting Canadians' privacy that has become vital to maintaining a healthy democracy. Privacy is a fundamental human right. Privacy matters. It is a bedrock human value which a former Canadian Supreme Court Justice described as "at the heart of liberty in the modem state".

Nor, is it an individual right we enjoy at the expense of society as a whole. Respecting one another's privacy is an integral ingredient in the glue of mutual respect which helps hold a free society together. Respecting the boundaries that we choose to draw around ourselves makes the difference between a life of liberty, autonomy and dignity, and a hollow and intimidating existence under a cloud of constant oppressive surveillance.

The fundamental nature of privacy's value is the primary reason that Canada has separate Information and Privacy Acts. The Access to Information Act establishes legal rights of access to anyone legally present in Canada to general government records. These records could include such things as government studies on pollution in our rivers, or chemical additives in tobacco, or information about which companies won a government contract, and the terms of the contract.

The Privacy Act allows anyone legally present in Canada to have access to their own personal information and also to maintain some control over how the government collects, uses and discloses personal information.

To oversee these laws, Parliament appoints an Access to Information Commissioner and a Privacy Commissioner. These individuals are independent officers of Parliament who are appointed by our House of Commons and Senate, not by the government. They serve for a seven-year term and cannot be removed except by a vote of both Houses of Parliament. Their unusual status helps to ensure their independence from political pressure.

The people who drafted Canada's Privacy Act adopted the principle that privacy would be more important than information access. And one reason for that is that we had watched the United States Privacy Act being steadily circumvented by its new Freedom of Information Act. In the U.S., applicants can get access to others' personal information if the government or the individual cannot demonstrate a clearly unwarranted invasion of privacy.

A lawyer who helped write Canada's Privacy Act said, "the rights of an individual to privacy...should be recognized as a greater order of right that the general right of a citizen to obtain information from government files". Fifteen years later, we can only applaud.

In practice, this has meant that privacy has its own law and personal information is exempt under the Access to Information Act. If I want information about another person, I can only get it if the Privacy Act allows. The effect has been to provide Canadians with greater protection than does the American statute.

But, enough about our anniversary. You have already have reason to celebrate. You have made tremendous strides in applying your new law. Yes, I am sure there are criticisms. And the criticisms may well be valid. But, telling politicians and government officials that they now must give out what they have spent a career protecting requires more than simply writing a new law.

The toughest lesson we Canadians have had to learn is that making information and privacy law work is not just a matter of learning what the law says. In fact, that is the easier part. The most difficult hurdle for us to leap was dealing with human nature.

As we say in English, old habits die hard. That is what we, and you, are wrestling an entrenched attitude to public administration. So, if there is a theme for my talk today, it is this; making your new law work is about breaking old habits and developing new ones. And if you have ever had to try and break a habit, you will know how difficult it can be.

I don't say this to excuse bureaucrats' instinctive moves to protect information. But, faced with possible embarrassment, or a challenge to an administrative decision, or the prospect of a lawsuit, it is natural to cover up. What we are all trying to do is make disclosure of general information a habit. We need to make it a habit to give individuals access to their own information. In short, we must develop a new habit, that of considering it the public's information which government holds and uses in trust for its citizens.

Canadians recently celebrated the 15th birthday of our Access to Information and Privacy Acts. I can tell you quite frankly that routine disclosure is not a habit just yet. But, the good news is that neither is hoarding information a habit. I think you could say that we have reached the mid-point. That is the stage where officials expect access requests. Most now accept, and some even welcome, this indication of public interest in their organizations. But, there will always be some who expend their energy on finding ways to hide what they don't want revealed. While not perfect, it is progress nevertheless.

Another habit that some have had to break is using the back door to get information. By that, I mean developing ongoing relationships with government staff that allows them to see information the law now protects. This is what we call the "old Boys Network". I will give you an example.

Our National Archives has comprehensive personal records on many Canadian citizens, including immigrants, former public servants and members of the Royal Canadian Mounted Police and the military. Once a person retires from any of these positions, their records are transferred to the Archives. As you can imagine, these records can be very valuable for individuals seeking information about these people.

Shortly after the Acts came into force, Archives staff were faced with police officers stopping by to check the files on individuals they might be investigating. This had become more or less routine with some investigators who had developed personal contacts with Archives staff.

But, with the Privacy Act in place, giving out personal information to third parties is done only under exceptional circumstances. Law enforcement investigators may well have a legitimate case for asking to see personal records. But now they have to substantiate and document their requests. And the requests are available for the Privacy Commissioner to examine to protect against abuse. Archives staff and police officers alike had to break that comfortable old habit.

Some Royal Canadian Mounted Police officers were not happy with the new, more rigorous arrangements. In fact, when the Archives supervisor steadfastly refused all informal requests, the Police investigated him to see why he would no longer cooperate. The Archives supervisor is now one of my employees, that's how we heard the story.

The story demonstrates how everyone can make mistakes and learn from them. The Royal Canadian Mounted Police have gone on to create the best Information and Privacy Unit in government.

There were some even less legitimate requests. In one instance, the president of the organization representing armed forces veterans stopped by to check up on the person who was a candidate to be the new president. Archives staff had to tell him politely but firmly that this was not a legitimate disclosure of the man's personal file. They suggested he do his research elsewhere.

I would like to spend some time discussing with you some of the lessons we have learned about putting our own laws in place. Then, I want to explore the delicate balance between the public's right of access and the obligation to protect personal records. I will illustrate with some case studies.

I will begin with some of the lessons we learned. of course, countries' laws and cultures differ. Some of our lessons may not be relevant for you. And there is no single view of what is right and wrong in Canada. Even within our own tiny office, among committed information law advocates, some cases have prompted lively debates and disagreements.

One of the first lessons Canadian government departments learned was, organize our records. I know that sounds self-evident. But, you would be astonished how poorly organized some records systems were. I say "were" because some honest bureaucrats have admitted that the Information and Privacy Acts spurred them into a major reorganization and housecleaning. And even well organized record systems were probably never structured to respond to access requests.

There are two reasons to organize. The first is making public access possible, the second is enabling government response to access requests. How can the public ask for access if they don't know the information exists, or if they know but don't know where it is? And how can government respond to a request if staff can't find the information?

The cynic would say that keeping the public in the dark will keep the number of requests to a minimum. The answer is, of course, that this is the public's information keeping them in the dark is one of those old habits. It is no longer an option.

Having to describe what records they held paid real benefits to some departments which took the job seriously. Staff had to examine what programs the department administered, what information it collected and produced, where it was stored, how long it was kept, and what happened to it when it was no longer needed.

This information was assembled into a public directory to help individuals locate and get access to the information which interested them. The directory is updated every year and is available for sale or can be consulted in government offices, major libraries and central locations across Canada.

Now, I cannot say that the directory solves the access problem. It is intimidating for many people. It runs to almost 1000 pages. It is cumbersome. And in some places its descriptions are sufficiently vague or bureaucratic that the reader is none the wiser. Having said that, I do not know what better options there were to inform the public at the time. And it was a remarkable effort by an advanced industrial nation to catalogue its records holdings in fact, it was the first time it had even been attempted. (To my knowledge, for example, the United States has not published anything similar).

The second lesson we learned was, find excellent staff for each government department's information and privacy unit. This is neither the time or the place to hide marginally competent or uncommitted people. These staff will be on the front lines of what occasionally becomes a battle for public access. They must be knowledgeable, competent and fair. They must have the respect of senior managers and the public. And they must be strong-minded.

I say that because they will face the inevitable questions about their loyalties to the organization. And they will have to resist the inevitable pressure from colleagues and managers within the organization to look the other way. These staff are what a former Canadian Privacy Commissioner called the "consciences of their departments". When they do their jobs well, these people are very important for their organization. They keep their organizations out of trouble. And they make complying with the law a routine part of the organization's business.

On the other hand, poor staff cannot cope well with the volume of access requests. They can make bad decisions on sensitive requests which can lead to complaints to the (Commissioner). They may be ill-informed and therefore unprepared to offer advice to managers. And if they are not a good resource for the department and senior officials, they are sidelined or ignored. The result can be poorly thought out policies or programs which end by embarrassing officials and politicians.

Our next lesson was to train and keep training staff of all government departments. Training never ends. Motivated staff may learn quickly and find creative solutions but they must have a solid core of information. Training can be formal or informal, of course. An example might be from one of our major departments which broke the training down into four phases:

  • a one-day orientation;
  • a 2-3 week period of one-on-one training which looked at the records' contents, understanding and applying the law, processing procedures and exemption policies;
  • a practical phase intended to achieve a level of comfort and ease with the work, all of which was reviewed, but no performance standards were applied or tested;
  • the final evaluation stage in which performance standards were applied and tested. Successful employees were certified as information law analysts. Of course, training needs to be ongoing if staff are to provide line managers with good advice. Perhaps most critical is the growth in information technology. As organizations adopt new computer systems and other communications tools, they may unwittingly pose new threats to the privacy and autonomy of employees and clients. This is when you will count on alert, trained and technologically-aware staff.

We do find it important to make our information and privacy officials a resource for the entire organization, they can point out the pitfalls and help keep you out of trouble.

Another lesson for us was the need to develop comprehensive procedures. That too, sounds obvious but we soon found that one large department could document when it had received a request. It knew who had processed it and when the information was sent to the applicant. But, it could not establish which records had been reviewed. It couldn't determine which ones were released. And it could not say what material was exempted. One complaint to my office was enough to get proper procedures in place.

The third lesson we learned was that you have to educate all your staff. This too seems self-evident. But, I have to tell you amazing as it seems that there are more than a few federal public servants in Canada who, after 15 years, say they have never heard of the Privacy and Access to Information Laws. Understanding their obligations under the law is as fundamental to being an effective public servant as is learning how to perform their daily tasks. Training staff about information and privacy is a core responsibility of any government. The law simply will not work well if staff collect, use and disclose information in complete ignorance of their responsibilities.

The Canadian government made a serious effort at the outset. It produced a comprehensive manual of policy guidelines for both laws to which all staff had access. The manual sets out the purpose of the laws. It describes the responsibilities of all the players. It establishes clear directions for all its staff on all matters contained in the law. These include collection, disclosures, access procedures, exemptions to access, and the oversight process. The manual has helped ensure an even interpretation of the law across all government organizations. It was a major task, but well worth it.

The government followed up the policy manual with regular implementation reports and circulars to clarify some matters and advise of new procedures.

The fourth lesson we learned was we had to educate the public. In the broadest sense that is because a good law will become better by being used. Its principles become embedded in a democratic society and expand their influence beyond the narrow application of the law. In Canada the concept of the Right to Know has taken root and is spreading far beyond just government operations. Increasingly, Canadians expect organizations to be accountable.

In the narrower sense, you also must educate the public about access to government records. It is not up to the individual citizen to discover that there is such a law. They should not have to ferret out what information exists. Nor should they have to determine how to exercise their rights. This is not a fair match. Without substantial help from government, the public has little chance in the game. Government must accept this responsibility to level the playing field.

Frankly, I think we could be doing this job much better than we are. Once the initial flurry of publicity surrounding the acts was over, the directories published and the brochures sent to libraries, the education efforts died. The government's attention turned elsewhere.

The people to whom the public turned for information the Privacy and Access to Information Commissioners were given no mandate and no money for education. In fact, if they attempted to educate the public, of ficials grumbled that they were trying to drum up business. But the public wanted information from the Commissioners, whom they saw as a neutral party. They did not want it from government which they suspected, whether rightly or not, as having various conflicting priorities. Fortunately, the Commissioners ignored the grumbling and have spoken out forcefully. It may have helped that both Privacy and Access Commissioners were former journalists!

Public education is an integral part of a healthy, functioning information rights process. It must be mandated and funded properly or the public will remain uninformed. And with the public left uninformed, open government is mere pretty words and efficient process. It is not accountable government.

The fifth lesson for us was that senior managers must be committed to respecting the law. The law simply never will work well if officials have to be dragged every step of the way. It cannot work if employees must constantly worry whether their managers will support them. And by commitment I mean that, in Canada, we want senior Canadian officials to do more than reluctantly acknowledge that Parliament passed an Information Law, so they must obey it. I mean that we want Canadian senior officials to enthusiastically endorse the principles of information access and willingly actively and openly work to support the process regardless of the occasional discomfort or inconvenience it can cause.

If you can begin with this kind of top-level support, its influence will permeate the organization. Any disagreements over interpretation of the law at least will be resolved in the spirit of the law. And there will be disagreements. Fifteen years after passage of the Canadian Act, cases still have the power to cause lively discussions in my own office. That is the challenge and I have to confess the fun of my work.

A final lesson learned: expect to be surprised. Despite the preparations, some Canadian departments were inundated with requests. In the first year of implementation of our information and privacy laws, our National Archives expected 1200 requests, and received more than 10,000 requests.

Others received few requests for general records but far more for personal information than they had projected. For example, our department of National Defence received a huge numbers of applications from members, almost bringing the unit to a standstill. The requests eventually motivated Defence to routinely give members their personnel appraisals and their individual rankings from the annual promotion boards.

I suppose we should not have been surprised. It is human nature to be concerned with those issues that touch us directly; pension or employment benefits, tax files or employee appraisals. Personal information requests make up 80 per cent of the almost 600,000 applications received to date in Canada.

In Canada, at least, the prime users of the Access to Information Act are businesses monitoring who is winning government contracts, and journalists following potential stories. The nature of a department's business will determine what volume and type of requests it receives. Another factor which influences applications is media coverage. one broadcast about an incident, or an article in a magazine, or even a paper in a scholarly journal can prompt requests.

One final point while on this theme, in Canada all of the lessons we learned and all of our best intentions become redundant if our government does not take our law seriously enough to provide us with the money so we have the resources in terms of staff, facilities and technology to make our laws work. Fortunately, my government takes this responsibility seriously.

I now want to turn to the constant tension between access to information and privacy rights. Striking an appropriate balance between privacy and the public's right to know and to hold government accountable raises some interesting questions. One of these is when does privacy give way to other interests? There are exceptions to privacy rights. For example, some personal information about government employees may be disclosed in the interest of public accountability. Another example; personal information may be released if there is an overriding public interest. And information may be disclosed about someone receiving a discretionary benefit of a financial nature.

Some of these privacy exceptions have proven difficult to reconcile. I will illustrate with a few cases.

An early complaint to the Information Commissioner concerned a request for a list of all rental properties administered by a government agency in the national capital area. The applicant also wanted the names of the tenants and the amounts of rent each paid.

The agency released the list of rental properties but withheld the tenants' names and the rents paid. It considered the information personal. The applicant complained to the Information Commissioner. She argued that there were persistent rumours that friends of the government were selected as tenants and that they were paying rents below market value.

It was clear that the tenants' names and the rent paid meet the definition of personal information in the Privacy Act. However, two exceptions could be relevant. One of these allows information released about any discretionary benefit of a financial nature, including the person's name and the exact nature of the benefit. The question was; were the tenants paying fair market value or were they getting a special deal?

The second exception allows disclosure of personal information if there is an overriding public interest. The applicant argued that if friends of the government were getting special rental deals, there was a public interest in the disclosure.

The Information Commissioner hired an independent real estate appraiser to assess the value of 30 rental properties selected at random from the list. The assessor was not given the tenants names. His assessment concluded that the market value of 26 of the 30 properties was higher than the rent being charged.

The Commissioner accepted the agency's contention that there could be valid reasons for the rents being lower than market value. However, there was clear evidence which appeared to support the argument that tenants were receiving a financial benefit.

The Commissioner then invited the tenants to show why the information should not be disclosed. Virtually all opposed disclosure. Many tenants, and the agency too, argued that there were special criteria applied to tenancy such as community problems or compassionate grounds such as disadvantaged groups. Sitting politicians, their spouses and political parties were specifically excluded to prevent apprehensions of bias. And tenants of many of the properties did tasks normally provided by building managers. Finally, the agency also argued that government wage and price controls has also limited its ability to raise rents.

The Commissioner acknowledged that some of the factors may not have been considered. The evidence was insufficient to point to specific instances of alleged sweetheart deals. But, the overall pattern of low rents was clear. The agency is charged with administering the government's real property. Since this means public property and public money, the Commissioner concluded that the public had a powerful interest in seeing that it was allocated fairly. However, she also concluded that releasing the addresses and rents were sufficient to meet the public interest test. The names were not necessary.

The applicant disagreed and asked for a review by the Federal Court. The Privacy Commissioner sought intervenor status to ensure the tenants privacy interests were protected.

The Court found that the names and amounts of rent paid were personal information. However, by charging less than market rates and by selecting its tenants, the agency had conferred a discretionary financial benefit. The Court concluded that the information could no longer be considered personal. It also described the privacy interest in rental payments as so negligible as to be outweighed by the public interest in dispelling rumours of corruption or mismanagement of taxpayers money and property. It ordered the information disclosed.

Another balancing point between access and privacy happens where information about public servants is at issue. In the interests of public accountability, the Privacy Act allows certain information about current and former employees and employees to be disclosed. These details include title, business address, telephone number, job classification, salary range, responsibilities and the personal opinions or views they gave during their employment. The Privacy Commissioner has interpreted this wording narrowly.

The definition was at issue in the first information case to go before the Supreme Court of Canada.

In this case, an applicant asked to see the attendance forms signed by employees entering and leaving the Department of Finance after hours. The Minister provided access but deleted employees' names, identification numbers and signatures, considering this information personal. The Information Commissioner supported the Minister's decision to withhold the information.

The applicant asked the Court to review the Minister's decision. The lower court decision was disturbing. It rejected the privacy argument because the information was not predominantly personal. More significantly, the judgement appeared to shift the balance in favour of access over privacy. If there was any doubt, the Court said, it should be resolved in favour of disclosure. The Department of Finance appealed and the Privacy Commissioner intervened.

The Appeal Court's decision established clearly that Canada's two acts are on an equal footing. Both must be read together. The Appeal Court also rejected the predominant characteristic test which it found clearly wrong. Information either meets the definition of personal information or does not. The Court concluded that whether an employee is at a particular place at a particular time is information personal to that employee and decided in favour of the person who sued the government.

The Supreme Court agreed to hear an appeal. In a split 5/4 decision, the Court found that the information related to the individual's position and not to the individual. Thus it fell within the exception to the definition of personal information in the Privacy Act and could be disclosed.

Finally, the Supreme Court endorsed a broad definition of personal information as consistent with the great pains which Parliament has taken to safeguard individual liberty. The point is that in Canada, privacy was ruled to be a more important than access to information.

Of course, there are other good reasons for disclosing personal information. Several complaints to our office revealed that government was inconsistent in disclosing personal information gathered during investigations of sexual harassment in the work place. Some departments disclosed everything investigators collected. Some applied specific exemptions. Some withheld everything while the investigation was active. others released only summary reports but, did not identify witnesses or include their statements. Some organizations which are classified as investigative bodies would not disclose any information about these internal administrative inquiries. And some washed their hands of the whole process, contracting out investigations so that they would have no information in their own files. How you were treated depended on where you worked.

Two men accused of sexual harassment asked for information relating to the matter, but were refused information or witnesses' names. Both men argued they could not properly defend themselves without the information. The first asked the Court to order the release of all information the government used to decide the merits of the complaint. The second, under threat of firing, complained to the Commissioner but also filed an action in Federal Court. The Commissioner could not persuade the man's employer, an investigative body, to release the information. But, the court found that the government had denied the man the right to a fair hearing and ordered the information released.

It was clear to us that gathering information and testimony during these investigations, and then disclosing it, is a consistent use of the information. Release is also fundamental to administering a harassment policy. The process must be accountable and fair. It must acknowledge the complainant s right to know how the complaint was handled. And it must recognize the accused's right to know and challenge the accusations.

You will notice that these examples deal with employees or a very specific type of government client. For the vast majority of Canadians, there is no question of their personal information not being protected. If you recall what I said at the beginning of my remarks, the reason will be clear. The law's drafters began from the premise that privacy is the pre-eminent right. And personal information is exempt from the Access to Information Act. The circumstances when information may be disclosed are limited and specific. And the onus is on the person seeking the information to make the case why the individual's privacy should be violated.

Another very simple example illustrating the conflict between access rights and privacy rights occurred over the awarding of parking permits to government employees. In Canada, there are always more public servants with cars who want parking spaces than there are spaces available. A criteria is applied when awarding permits. For example: how far does the employee live from work? Is public transportation available? Is the applicant in a car pool? Does the person suffer from a physical handicap which prevents access to public transportation, but does not prevent driving a car? When these permits are granted, it is by a committee with members including management and union representatives of employees, to ensure that the decisions are fair.

One applicant who was rejected, wanted to know the names of the people who did get the parking spaces, and the reasons why they got them because he suspected the decision showed favouritism. One of the successful applicants had been awarded the permit because of a physical disability. But, his fellow employees did not know about the disability. The Department provided the names of the successful applicants but, not the reasons why they were given the parking spaces. A complaint was made to the Information Commissioner who agreed that the individuals physical handicap was personal information and there was no public interest to be served in disclosing the information about the physical disability.

However, I have learned one very important lesson in resolving conflicts over disclosure of personal information. It is this: sometimes the conflict can be avoided simply by asking the person whose personal information is the subject of a disclosure request, whether he or she has any objection to releasing the information. In Canada, frequently, the person has no objection to releasing the information. So we can avoid complicated bureaucratic appeals simply by using common sense, and avoiding legalistic approaches to the implementation of the Information and Privacy Acts, think I have now exhausted your patience enough to end my speech. But, I would like again to l leave you with one final message, and it is the same one with which I began my speech.

Information is knowledge, and knowledge is power. The information my government holds is the information of the citizens of Canada. We allow our government to hold this information in trust for us. The purpose of our information laws is to ensure that the trust is upheld. The purpose of these laws is to make our government open and accountable to the people it serves. An engaged and informed public is fundamental to a healthy democracy. Sharing information means sharing power, and that is the purpose of our information law.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: