Submission by

David H. Flaherty
Information and Privacy Commissioner
for British Columbia
to the

Four-Year Review of the
Freedom of Information and Protection of Privacy Act
by a
Special Committee of the Legislative Assembly of
British Columbia

February 24, 1998

http://www.oipcbc.org


TABLE OF CONTENTS
A Message from the Commissioner
1. Keeping Access to Information Rights Intact
2. Legislative Developments in Other Jurisdictions
3. Keeping Access to Records Affordable
4. Dealing with Frivolous and Vexatious Requests: Section 43
5. Preventing Inquiries in Certain Limited Circumstances under the Act: Section 56
6. Authorizing the Information and Privacy Commissioner to Delegate Order-Making Power: Section 49
7. Extending the Act to the Legislative Assembly
8. Extending the Coverage of the Act to the RCMP when it is Acting as a Provincial and Municipal Policing Agency
9. Strengthening Privacy Rights in the Public Sector: Part 3 of the Act
10. Strengthening Privacy Rights in the Private Sector
11. Improving the Credit Reporting Act, R.S.B.C. 1996, c. 81
12. The Privatization and Contracting-Out of Government Services
APPENDICES
A. Additional Proposed Amendments To The Freedom Of Information And Protection Of Privacy Act
B. A Comparison of Fair Information Practices: B.C., The European Union, and the CSA Code

A MESSAGE FROM THE COMMISSIONER

I am very pleased to participate with the Special Committee in moving the Freedom of Information and Protection of Privacy Act (the Act) into the 21st century.

The Act is, without any doubt, one of the greatest legislative contributions made by this House in its term from 1991 to 1996. It is worth recalling that in an otherwise partisan atmosphere, the Act was passed with all-party support and a unanimous vote. I also recognize that it is one thing to enact such unconventional legislation; being the first Government in this province to live with the Act is another matter, as we all know.

The Act has been hailed by privacy specialists and civil libertarians as the most progressive legislation of its kind in the world. I heartily concur in this praise for the work of the House, and caution this Special Committee against changes to the Act based on misinformation or short-term and transitory considerations. Rather, I believe that amendments to the Act must be based on experience, evidence, systematic analysis, and consideration of the needs of British Columbians in the years to come.

For the last four years, my staff and I have worked closely with many British Columbians in the administration of the Act. We conclude that the Act is working very well. However, our experience has taught us that certain technical matters need to be addressed. Furthermore, in light of anticipated new challenges both to users of information and to privacy rights, and due to legislative developments elsewhere, we recommend that the scope of the Act be broadened in some respects.

Since 1993, my office has become a model centre for alternative dispute resolution, commonly known as "ADR." We have successfully mediated ninety-three percent of the nearly 3,500 requests for review and privacy complaints received from individual citizens, businesses, non-profit organizations, media groups, environmental groups, business organizations, political parties, unions, and researchers. We have provided policy advice, commented on proposed legislative schemes, engaged in public education, issued investigative reports on systemic problems, and conducted site visits to a large number of public bodies.

The Act gives the Information and Privacy Commissioner the power to receive comments from the public concerning the administration of the Act. This has given my office the benefit of observing, from an intermediary and impartial position, how the public perceives the legislation. My general perception is that the Act has carefully balanced the right of access to information in records against the rights of confidentiality for general information and privacy for personal information. As an impartial intermediary and adjudicator, my office is well positioned to provide authoritative comment on the Act, such as highlighting particular areas of concern and proposing new directions for the expansion of information and privacy rights for the benefit of all British Columbians, whether their records are in the custody of government or the private sector.

Finally, my office's submission canvasses several major access and privacy issues. In this respect, I have two major goals: to defend the existing Act and to recommend its expansion and improvement in critical places. In addition, my office has prepared an appendix to this paper, which proposes a number of both substantive and technical amendments to the Act. The proposed amendments arise from my office's experience over the past four years with the application of this complex, yet well-written, piece of legislation. In my opinion, the proposed amendments which follow will make a very good law even better.

In conclusion, may I point out that my discussion of proposed amendments is condensed. My colleagues and I will be very pleased to elaborate on any points, either orally or in writing, during the course of the Special Committee's deliberations.

[Return to Table of Contents]


1. Keeping Access to Information Rights Intact

My sense is that the Act has been under attack from both old and new critics since the 1996 provincial election. The Government has been embarrassed on occasion, on large and small issues, when public bodies have disclosed records in response to requests under the Act. Senior government officials have complained that they were no longer free to give candid advice to their political masters, because of the risks of disclosure of what they write in briefing notes. It is as if the argument is being made that government is being undermined by too much democracy.

A fundamental component of any progressive, liberal democratic society should be an open, accountable, transparent government at all levels of society. Public bodies are custodians of vast stores of information with which they seek to influence, for better or worse, the quality of life of each resident of the province. Access to government records therefore must be a right of citizens and not simply perceived as a gift from a passing leadership or a particular political party.

In his last annual report, the highly-experienced federal Information Commissioner, John Grace, stated: "No society can be truly democratic if its citizens must be satisfied with the information fed to them by their leaders."[1] Yet a senior public servant in this province said to me that the public's right to know was limited to what it could ask for through its elected representatives. When I countered that this sounded too much like the BBC-TV series Yes, Minister, I heard unabashed acclaim for Sir Humphrey as an outstanding public servant.

This resistance to openness characterized the state of affairs in British Columbia before the enactment of the Freedom of Information and Protection of Privacy Act. Prior to 1993, British Columbians did not have a right at common law to request government records outside the scope of court actions involving government bodies. Access to information depended largely on the good will of the government agency holding the records, and there were no oversight mechanisms to assess whether all the records had been accounted for. With the proclamation of the Act in 1993, there is now a clear set of rules conferring a statutory right of access to any and all records in the custody or control of a public body, unless those records fall under one of eleven "exceptions" to the right of disclosure. Thus the Act is gradually eroding the resistance to transparency and promoting a culture of openness.

"Public body" has been broadly defined under the Act to include all ministries, Crown corporations, municipal and local governments, hospitals, schools, universities, municipal police departments, health boards and self-governing professions such as the Law Society and the College of Physicians and Surgeons. The Legislature has determined that this broad scope is fully appropriate.

The right of access to records is limited if the information in a record falls under one of the "exceptions" in the Act. Exceptions are determined by either a "harms test" or a "class test." Thus, information which, if disclosed, would cause certain categories of "harm" may be withheld. For example, law enforcement information may be withheld under this test if disclosure would harm an ongoing law enforcement investigation. "Class test" exceptions identify discrete categories of information; for example, legal or policy advice. Information that falls within one of these exceptions does not require an assessment of "harm" in order to be withheld. In class-based exceptions, the harm that would be caused by disclosure is presupposed.

In theory, all discretionary exceptions should be given the narrowest application possible. They should be designed to protect only that information which must or should be kept secret for the public body to properly conduct its affairs. All other information, if requested, should be made available.

In my opinion, the eleven exceptions in the Freedom of Information and Protection of Privacy Act are sufficiently broad to allow public bodies to operate in a "zone of confidentiality," where necessary in the public interest. Indeed, in my view, some of the exceptions are overly broad. From an accountability perspective, it is unnecessary and undesirable for these exceptions to be increased in scope or in number. Such amendments would deny access to information formerly available for inspection. Furthermore, I submit it is in the public interest to consider narrowing some of the exceptions that are already in place or changing some of the current class-based exceptions to harms-based exceptions. British Columbians continue to demand more open and accountable government. Widening the curtain behind which information can be withheld would be an unfortunate move.

In short, access to information and the protection of privacy are fundamental democratic and human rights in a free society, as our Act has already recognized. In my opinion, the Legislative Assembly of British Columbia should do everything in its power to ensure the continuation, extension, and strengthening of these rights during its review of the Act.

[Return to Table of Contents]


2. Legislative Developments in Other Jurisdictions

As much as I admire the progress that we have achieved in this province in the implementation of the Act, the standards for progressive legislation keep going up. Alberta and Manitoba, for example, have recently enacted freedom of information and privacy legislation that this Special Committee should compare with our own Act.

I find further support for freedom of information, in particular, in the December 1997, White Paper of the UK government with respect to its proposals for a Freedom of Information Act, and I would like to draw the attention of the Special Committee to this important development:

The British White Paper, for example, proposes a "substantial harm test" that may be worthy of emulation in this province:

[Return to Table of Contents]


3. Keeping Access to Records Affordable

The Government of British Columbia made a decision early on to keep access to records affordable under the Freedom of Information and Protection of Privacy Act. This has resulted in an enthusiastic use of the Act by ordinary British Columbians to obtain access to both general and personal information. The Act, as it is currently written, permits public bodies to charge reasonable fees for access to general information. It is only recently that more of them have begun making use of fee estimates under section 75 of the Act to recover some of the costs of processing requests for records. Individuals may be charged a fee for locating, retrieving, and producing the record, preparing it for disclosure, and for photocopying, shipping, and handling it. Commercial applicants can be charged the actual cost of processing the request. As it stands today, there is no charge for actually making the request, a condition that I strongly favour in an open and accountable system of democratic government.

One of the most common complaints of public bodies is that, in these times of fiscal restraint, resources devoted to administering the Freedom of Information and Protection of Privacy Act are "wasted." This claim ignores the economic and other benefits which accrue to the public through open government. As John Grace has said about the federal Access to Information Act:

The benefits of this law, in fact are tangible and profound. Courtesy of the right to know, there is greater responsibility, honesty, frugality, integrity, better advice and more selfless decision-making. Every exposure, as a result of an access request, of abuse of power, excessive perks and privileges or just plain silliness, serves the public purse and the public interest. The modest cost of administering access rights...is by any honest measure a bargain.[2]

My office has always sought and promoted cost-effective, pragmatic, and functional solutions to the access and privacy problems that face both public bodies and ourselves. However, my concern over any possible increases in user fees is that they will only further restrict access to information by the public and deter legitimate requests for information. This does not promote the principle of accountable government. Rather, it creates a two-tier class system whereby those with the financial resources can access information, and those without financial resources are left out. Governments should be accountable to all British Columbians, not only to those who have the resources to pay for access to information. Further, those with the least resources to pay may even have a greater interest in accessing information held by government, since, by reason of their situation, they are often subjected to greater government scrutiny than those with the resources to exercise their rights effectively.

In my office's experience, some applicants are discouraged and abandon their requests once they receive a fee estimate because they are unable to muster the resources to pay. I share the belief of my federal counterpart, John Grace, that some of the costs of administering the Freedom of Information and Protection of Privacy Act could be reduced without the need to impose fees.

Request-processing within some public bodies is sometimes unwieldy and requires consideration, debate, and sign-off by various managers at several different levels of the organization. Some public bodies resist the delegation of authority in the processing of requests. Furthermore, high search costs associated with many requests are often the result of inadequate records management and not the request itself. In such cases, applicants may be penalized for substandard record-keeping, which inflates the time spent searching for records. It is not fair that an applicant should be required to pay for these extra costs.

[Return to Table of Contents]


4. Dealing with Frivolous and Vexatious Requests: Section 43

As Information and Privacy Commissioner, I have dealt with a small number of applicants whose repetitive and systematic requests collectively have cost public bodies considerable amounts of money and have consumed personnel and equipment which could be used more productively to promote the goals of the Act. Section 43 of the Act addresses this problem. To date, I have authorized public bodies to disregard requests from approximately twelve of these applicants pursuant to section 43. In my view, the actions of these and other applicants have driven up the costs of access to information incurred by certain public bodies and have brought the administration of the Act into disrepute in some sectors of government. One applicant, for example, has had over 75 reviews, privacy complaints, and other files before my office, resulting in considerable cost to a number of public bodies and my office. I believe that I need greater authority to deter such abuses of the Act.

Section 43 should be revised to address these concerns. I recommend the following wording:

43. If the head of a public body asks, the commissioner may authorize the public body to disregard requests under sections 5 and 29 that

This amendment would allow me to authorize public bodies to disregard repetitious or systematic requests for information under section 5 and for the correction of personal information under section 29. It would also allow me to authorize public bodies to disregard requests made under these sections where such requests, although not systematic or repetitious, are frivolous, vexatious, or not made in good faith Of course, the same standard should apply with respect to both section 5 and 29 requests: that is that they interfere unreasonably with the operations of the public body.

[Return to Table of Contents]


5. Preventing Inquiries in Certain Limited Circumstances under the Act: Section 56

Section 56 should be amended to permit the Commissioner to refuse to conduct an inquiry in certain limited circumstances. At present, a determined individual can force the Commissioner to hold an inquiry for any reason whatsoever. Similar language in the Auditor General Act, section 12, and the Ombudsman Act, sections 13 and 22, provides guidance.

Part 5 of the Act should be amended to remove such an automatic right to a formal inquiry by the Information and Privacy Commissioner under section 56. For example, a substantial number of the Commissioner's Orders have dealt with allegations of inadequate searches by public bodies, in circumstances where a reasonable person would likely conclude that the public bodies had made every reasonable effort to search for allegedly missing records.

I recommend that a new provision be added to section 56 as follows:

56(1.1) Notwithstanding section (1), the commissioner may refuse to conduct an inquiry where in the commissioner's opinion

[Return to Table of Contents]


6. Authorizing the Information and Privacy Commissioner to Delegate Order-Making Power: Section 49

Section 49(1)(c) should be repealed and the Commissioner authorized to delegate his order-making powers and authorization powers under sections 42(1)(b), 43, and 58. This would bring the British Columbia legislation in line with Ontario and Quebec and would allow for delegation of my decision-making powers. As the legislation currently is worded, the Commissioner cannot delegate these powers under any circumstances, regardless of whether he or she is in a real or perceived conflict of interest situation with the public body or the applicant or is otherwise incapacitated for any reason. A system that only allows for one decision-maker can be brought to a less than optimal functioning state, if an individual were to refuse to mediate a series of related cases and to insist that they all go to inquiry separately. Most importantly, the continued growth of activity under the Act makes it increasingly untenable for one person, as is currently the case, to draft all of the Orders to the detriment of other responsibilities in the Commissioner's mandate. I have written and released sixty-seven Orders in each of the last two calendar years.

I also recommend that under section 49(1)(b), the Commissioner should be able to delegate the power to inspect records that contain section 12 (Cabinet Confidences) and section 15 (Law Enforcement) information. This would make for an easier distinction in my office between the mediation phase and a formal inquiry. Portfolio Officers need to be able to see all records in order to efficiently and effectively mediate a file.

[Return to Table of Contents]


7. Extending the Act to the Legislative Assembly

The Act currently covers the executive branch of government, leaving the legislative branch outside the scope of access and privacy rights. In relation to requests for records from the public, I believe that the Act should apply to administrative records in the custody and control of the offices of Members of the Legislative Assembly. The principle is the same in both branches of government: accountability for the expenditure of public funds.

The administrative operations of the Legislative Assembly itself should also be fully covered by the Act. I recommend that the definition of "public body" in the Act be extended to apply to the administrative operations of the Legislative Assembly, including the Offices of the Speaker, the Clerk, the Legislative Comptroller, the Sergeant-at-Arms, Hansard, and the Legislative Library.

Part 3 of the Act also should apply to the offices of Members of the Legislative Assembly, as it does to the Officers of the Legislative Assembly. Part 3 contains the "Code of Fair Information Practices" that governs the collection, use, disclosure and retention of personal information. Individual employees and Members of the Legislative Assembly should have the same statutory rights of privacy protection, as set out in Part 3, that other public servants enjoy. This means that both Part 2 (access to records) and Part 3 (protection of personal information) of the Act should apply to the administrative operations of the Legislative Assembly.

[Return to Table of Contents]


8. Extending the Coverage of the Act to the RCMP when it is Acting as a Provincial and Municipal Policing Agency

At present, only the twelve municipal police forces in British Columbia are covered by the Act. The Royal Canadian Mounted Police, functioning as a provincial or municipal police force, is under the aegis of the federal Privacy Act, which is an older and more restrictive piece of legislation. For example, section 8(2)(m) of the federal Privacy Act makes it harder than under the provincial Act to release personal information that is clearly in the public interest, such as in the case of predatory sex offenders. Moreover, the federal Privacy Commissioner has limited financial and personnel resources when it comes to detailed, daily work on information and privacy issues with the RCMP in this province. In contrast, the BC Commissioner has explicit auditing power over all public bodies, which I exercise in the form of site visits in particular. Thus, I actually go to municipal police forces for site visits that are useful in raising consciousness about fair information practices among law enforcement personnel. I have conducted site visits to both the Vancouver and Victoria police departments on several occasions. There are also related problems evolving out of the different ways in which the respective police forces function, bureaucratically, with respect to notifications to the public about the presence of sexual offenders in the community who pose a serious risk.

In short, residents of this province have stronger and, arguably, more meaningful disclosure and privacy rights under the provincial Act than under the equivalent federal privacy legislation. Thus, B.C. residents face a confusing and uneven blanket of access and privacy rights in this area. It is my considered opinion that in performing provincial and municipal policing, in particular under contract to the province, the RCMP should fall within the scope of the British Columbia Freedom of Information and Protection of Privacy Act.

It is my goal, wherever possible, to ensure that the people of British Columbia enjoy the greatest access rights and the highest possible protection for their personal information, regardless of jurisdictional and constitutional divisions of authority in the law enforcement field. Coherence and transparency, as well as a desire to provide rights to British Columbians, militate in favour of such a step.

[Return to Table of Contents]


9. Strengthening Privacy Rights in the Public Sector: Part 3 of the Act

My office has prepared an enlightening table that compares the B.C. Act, the European Union's Directive on Data Protection, and the Model Privacy Code of the Canadian Standards Association (CSA). All of the member nations of the European Union, including the United Kingdom, are currently revising their data protection (privacy) laws to ensure that they meet the standards set out in the Directive. The Directive is the latest word on European privacy protection and thus a standard that Canadians and British Columbians will be expected to meet, if our companies and organizations are exchanging personal data with the European Union.

Based on Appendix B, it is clear that the B.C. Freedom of Information and Protection of Privacy Act fares well by national and international standards. In the table an asterisk marks the provision that offers the strongest protections for personal privacy. What the Special Committee should note, in particular, are the categories where the B.C. Freedom of Information and Protection of Privacy Act is, in our judgment, weaker than the European Directive. These categories include:

In our judgment, the CSA Code also has stronger provisions than either the European Directive or the B.C. Act with respect to:

Thus, by other recognized standards, there is clearly a need to enhance the existing privacy protections available to British Columbians under the Act.

[Return to Table of Contents]


10. Strengthening Privacy Rights in the Private Sector

The federal Parliament and the Legislature of British Columbia also, should extend the statutory privacy rights of individuals to the private sector. British Columbians must have the tools to ensure the protection of their personal information into the next century. I am referring in particular to the appropriate collection, use, disclosure, and retention of personal information by private sector organizations and companies not currently covered by the Freedom of Information and Protection of Privacy Act.

Such entities include telephone companies, banks and trust companies, credit unions, employer associations, labour unions, transportation and telecommunications companies, large and small retailers, grocery stores, pharmacies, direct marketers, telemarketers, insurance companies and brokers, physicians, dentists, lawyers, accountants, therapists, physiologists, travel agencies, charitable organizations, associations, churches, hotels, investment dealers, and video rental shops.

I realize, of course, that the federal government has sole jurisdiction over some of these entities, but I present such a long list to show the Special Committee the extent to which, with the exception of Quebec, the private sector in Canada is almost completely unregulated, except by market forces, in relation to the use and re-use of personal information. Quebec has had legislation in place mandating fair information practices for the private sector since January 1, 1994. Every member country of the European Union has similar legislation in place, as do New Zealand, Hong Kong, and Hungary.

When the European Union's Directive on Data Protection comes into effect in the fall of 1998, Canadian companies and organizations will be unable to transfer personal information about customers, members, or employees in or out of the European Union, because Canada and most of its provinces do not have adequate or equivalent data protection legislation in place. While I am aware that contractual arrangements may be available as a second level solution, it is embarrassing that Canada has weaker protections for privacy as a human right than member states of the European Union. As a British Columbian, with such superb legislation already covering the public sector, the contrast is even more disturbing. B.C. should again take a leadership role in this area.

As a fundamental human right, privacy requires explicit legislative protection. Some segments of the private sector continue to insist that market forces and self-regulation are sufficient to protect the interests of consumers. The Canadian Bankers' Association (CBA) has a model privacy code for its members. Similarly, the Canadian Direct Marketing Association (CDMA) has a privacy code for its member organizations. However, none of these codes has the force of law, which is the goal of most privacy advocates. Even the CDMA has supported the call for legislation for the federally-regulated private sector.

I applaud the voluntary efforts these groups have made, especially the Canadian Standards Association's Model Code for the Protection of Personal Information, promulgated in 1996 on the basis of several years of consultation. I strongly urge every "private sector" organization in the province to subscribe to it and to customize its general rules to their particular business and organizational activities. My office continues to offer assistance and guidance for these purposes. However, stronger controls are necessary, a fact that the federal government has already recognized.

In September 1996, the Minister of Justice, then the Honourable Allan Rock, addressed the Eighteenth International Conference on Privacy and Data Protection in Ottawa. The Minister clarified the Government of Canada's commitment to privacy rights in the federally-regulated private sector:

Although I agree with Allan Rock's statements, the amount of personal information in the private sector under the control of the federal government is quite limited. Therefore, I strongly recommend that the Government of British Columbia introduce legislated privacy rights for the protection of personal information in the custody or under the control of non-government bodies in British Columbia.

[Return to Table of Contents]


11. Improving the Credit Reporting Act

The Credit Reporting Act, R.S.B.C. 1996, c. 81, establishes minimum requirements for credit reporting agencies (primarily credit bureaus) operating in the Province of British Columbia. These requirements include privacy protection provisions regarding disclosure and content of credit reports and a process for individuals to have access to and correct their credit information. These provisions may not, however, meet the current standard for fair information practices established in Part 3 of the Freedom of Information and Protection of Privacy Act and, therefore, should now be updated. Also, I believe the ultimate responsibility for overseeing the privacy practices of credit bureaus should be transferred from the Ministry of Attorney General to the Office of the Information and Privacy Commissioner, as has been the case in Quebec since 1994. This should accompany the extension of the Act to the private sector.

[Return to Table of Contents]


12. The Privatization and Contracting-Out of Government Services

During times of fiscal restraint, the privatization of government services is often seen as a reasonable cost-saving measure. However, the federal Privacy Commissioner has expressed concern about the negative consequences of privatization on privacy. According to Bruce Phillips:

Commissioner Phillips considers the privatization of federal government data banks to be "a privacy disaster:"

My view is that where governments privatize services that ministries and Crown corporations previously had provided, fundamental access to records and protection of privacy rights may be minimized or lost for both the public and employees. Government should examine ways of transferring these rights in the Act to any newly-privatized entity, just as successor rights apply in the labour law context.

The current trend toward contracting-out the management of government data is also growing. Any government data banks containing personal information could feasibly be targeted for this purpose. This could include medical records, social services records, property assessment records, educational records, and driving records. For example, the government of British Columbia is now in the process of contracting-out the management of BC Online, which accesses the Assessment Roll, the Land Title Registry, the Corporate Registry, and the Personal Property Registry. British Columbians should have the right to expect the same standards and respect for their access and privacy rights regardless of whether the information resides in a Ministry file or within the computer network of a private contractor who has been hired to manage that data.

My office has worked closely with the province to ensure that relevant "Requests for Proposals" (RFPs) for contracting-out contain appropriate privacy and data security standards to ensure compliance with the Act. Such standards should include the usual fair information practices: use of the information only for purpose for which it was collected; no disclosure without consent; no secondary uses of the data; the right of individuals to correct their personal information in the data bank; rights of individual access; and limited access to the data bank. Any contracts entered into under these circumstances must be audited for compliance with the Act's privacy standards, with accompanying penalties or contract cancellation in the event of a breach.

While specific wording in specific contracts alleviates some of my concern over the privacy and security issues which accompany contracting-out, I strongly believe that the continuing protection of personal information, should be clearly stated during processes of privatization or contracting out of government services, in the Freedom of Information and Protection of Privacy Act. The privacy issue is compounded further as the line between public and private sector data bases becomes blurred.

[Return to Table of Contents]


APPENDIX A: ADDITIONAL PROPOSED AMENDMENTS TO THE FREEDOM INFORMATION AND PROTECTION OF PRIVACY ACT

note: all references to section numbers in the Freedom of Information and Protection of Privacy Act (the Act) are to the R.S.B.C. 1996 numberings.

Section-by-section commentary

1. Time Limits and Time Extensions

Time extensions while awaiting payment of fees

Section 10(1) should be amended to permit public bodies to stop the 30-day clock under section 7 while public bodies await payment of fee estimates. Public bodies now do this but without express statutory authority.

Time extensions for extenuating circumstances

Section 10(1) should be amended to permit the Information and Privacy Commissioner to grant time extensions where extenuating circumstances require additional time for a public body to process a request for records. For example, strikes, lockouts, natural disasters, fires, and earthquakes, all may result in public bodies not being able to locate or get to records, computer equipment, and offices.

Time extensions to permit clarification of requests

Section 10(1)(a) should be amended or deleted to permit public bodies to start the 30 day clock once the request is clear. Under the present wording, public bodies may lose some of the 30 days if the applicant cannot or will not clarify or identify the request.

Section 10(1)(c) should be amended to clarify the link between the time limits in sections 10, 23, and 24. Currently it is not clear if public bodies must take a time extension under section 10, if they are notifying third parties under sections 23 and 24. Presumably the time limits under sections 23 and 24 then apply, but the Act is not clear on this point.

Time extensions during third-party reviews

Section 10(1)(d) should state that where a third party asks for a review under section 52(2) or 62(2), the time for processing the applicant's request is extended until the third party's review has been concluded.

Time extensions during section 43 proceedings

A new provision in section 10(1) is required to permit the Information and Privacy Commissioner to grant time extensions to a public body that has requested an authorization to disregard the applicant's requests for records under section 43 of the Act. The current legislation requires public bodies to continue processing an applicant's requests until the Commissioner approves a section 43 authorization to disregard such requests.

The new provision might read as follows:

10(1) The head of a public body may extend the time for responding to a request for up to 30 days or, with the commissioner's permission, for a longer period if

2. Exceptions to Disclosure: sections 12 to 22

Policy advice and recommendations: section 13

Section 13(1) should be amended to include a "significant harms test." This will ensure that public bodies withhold only the advice and recommendations where disclosure could significantly harm the public body or the Government of British Columbia.

Law enforcement information: section 15

Section 15 should be amended to restrict the definition of "law enforcement" to policing or conventional law and by-law enforcement under statutory and regulatory authority. Section 16 of the federal Access to Information Act legislation is more restrictive and could be used as a model. The current definition is so expansive as to allow public bodies to protect almost any activity. If it is necessary to protect other more administrative activities which are currently protected by section 15, a separate exception could be used.

Third-party personal information: section 22

Section 22(4) should be amended to provide that it is not an unreasonable invasion of personal privacy of a third party to disclose personal information about the third party where that person has been deceased for more than 20 years. Section 36 permits the disclosure of personal information about persons deceased for more than 20 years for archival and historical purposes. Therefore, I recommend that section 22(4) permit disclosure of a deceased person's personal information after 20 years.

Public interest disclosure: section 25

Section 25(2) should be amended to read "25(2) Subsection (1) applies despite any other provision in Part 2, Division 2 or section 33 of this Act." This amendment will address the interpretation given to section 25(2) by Madam Justice Levine of the British Columbia Supreme Court, sitting as an Adjudicator under section 60(1)(b) of the Act, in an adjudication order dated June 30, 1997 (Gordon Ronalds and the Office of the Information and Privacy Commissioner).

The proposed amendment to subsection 25(2) will avoid public bodies being required to search their otherwise excluded records under sections 3(1)(a) to 3(1)(i) for information that must be disclosed in the public interest under section 25. These records include records in court files, criminal justice prosecution files, and collections of private records in the BC Archives and Records Service.

3. Part 3 of the Act: Fair Information Practices

Correction of personal information: section 29

In relation to section 29 of the Act, section 89(5) of the Child, Family and Community Service Act, R.S.B.C. 1996, c. 46 (the CFCS Act), should be amended specifically to include section 29.

The CFCS Act gives the Commissioner power to order correction of personal information in records that fall under the CFCS Act. This is evident by the mention of section 58(3)(d) of the Act in section 89(5) of the CFCS Act. However, section 89(5) should also mention section 29 of the Act, because it is the latter section that permits public bodies to correct or annotate personal information.

4. Part 4 of the Act: Office and Powers of the Commissioner

Exclusion of Commissioner's staff: section 41

In relation to section 41 of the Act, the definition of "employee" in the Public Service Labour Relations Act, R.S.B.C. 1996, c. 388, section 1(1), should be amended to exclude staff of the Office of the Information and Privacy Commissioner. This exclusion has already occurred under the legislation for the staff of the Office of the Auditor General, the staff of the Office of the Ombudsman, and the staff of the Chief Electoral Officer.

Statutory revision matter: section 41

In section 41(4)(b), the phrase "are inadequate for fulfilling the duties of the office" should not be part of this section. Rather, this phrase should be moved to the line below section 41(4)(b) so that it can be read as applying to both sections 41(4)(a) and 41(4)(b). The original version of the Act had the correct spacing. See also the Auditor General Act, section 8(4) for an example of correct spacing of paragraphs. So amended, section 41(4) would read as follows:

41(4) The commissioner may make a special report to the Legislative Assembly if, in the commissioner's opinion,

are inadequate for fulfilling the duties of the office.

5. Investigation and Reporting Powers of the Commissioner

Special reports to the Legislative Assembly: section 42

The Information and Privacy Commissioner should have an express power in section 42(1) to make special reports to the Legislative Assembly beyond the annual report requirement in section 51 and the special report for budgetary purposes in section 41(4). Similar provisions are found in the following legislation:

Solicitor-client privilege: section 44 -- production of records and continuation of privilege

Section 44 should be amended to expressly state that inspection by, or disclosure to, the Information and Privacy Commissioner of solicitor-client privileged records during reviews, inquiries, and complaint investigations, does not waive solicitor-client privilege. The Legal Profession Act, R.S.B.C. 1996, c. 255, section 63(2), contains a similar provision that continues privilege where lawyers' files are transferred to the custody of the Law Society.

Section 44(3) should be amended to change the phrase "any privilege of the law of evidence" to "any legal privilege." The Supreme Court of Canada has ruled that solicitor-client privilege is not an evidentiary privilege but substantive law. This amendment will clarify the rule in section 44(3) that requires public bodies to produce records to the Information and Privacy Commissioner, even where those records are subject to solicitor-client privilege.

Protection of the Commissioner and staff from being compelled: section 45

Section 45 should be amended to prevent the Commissioner and his or her staff from being compelled to give evidence in legal proceedings in relation to their duties and functions under the Act. As well, section 45 should be amended to prevent information obtained by the Commissioner and staff during the exercise of their duties and functions from being compelled in legal proceedings.

There are similar provisions in the Child, Youth and Family Advocacy Act, section 8, and the Ombudsman Act, sections 9(5) and 20(2).

Inquiry by the Commissioner: Section 56(6)

My office's interpretation of the mediation process for requests for review by the Commissioner means that the actual mediation period is sixty-eight days in order to exchange submissions before the ninety-day period expires, as required by section 56(6). The written inquiry process requires twenty-one days for the preparation and exchange of submissions among the parties. Officially, an inquiry by the Commissioner occurs on the ninetieth day of the mediation period set out in section 55. The Special Committee is aware that the Portfolio Officers successfully mediate a very high percentage of requests for review. Sometimes the ninety-day time limit is extended by agreement of the parties or by my authorization. But sixty-eight days is clearly not long enough for complex cases, or ones in which the parties are hard to reach.

My judgment is that it would be preferable to allow a full ninety-day mediation period by specifying such a time limit in section 55 and removing section 56(6).

Order-making powers: section 58

Mandatory versus discretionary order-making power

Section 58 requires the Commissioner to dispose of the issues by making an Order. In some inquiries, I have concluded that an Order should not be issued, such as where I have found that a public body has complied with its duty to assist applicants under section 6 of the Act. I recommend that section 58(1) be amended to give the Commissioner discretion to decline to issue an Order in an inquiry. This can be done by changing the phrase "...the commissioner must..." to "...the commissioner may..." in section 58(1). I do not wish to remove or dilute any of the order-making authority of the Commissioner, which is such a central feature of the Act.

In my opinion, section 58(2) should continue to use the mandatory phrase "...the commissioner must..." because the Commissioner always issues an order where the inquiry reviews a decision to give or refuse access to records. The change from "must" to "may" in section 58(1) would make that section consistent with the permissive "may" in section 58(3).

Section 43 Authorizations by Adjudicators: Section 63

Section 61(1) gives the adjudicator the powers of the Information and Privacy Commissioner under section 43 in respect of applications to disregard requests for records that, because of their repetitious or systematic nature, would unreasonably interfere with the operations of the Information and Privacy Commissioner. This means that under section 43, the Commissioner can apply for an authorization to disregard such requests where the Commissioner is acting as a public body.

The appointment process for an adjudicator in relation to section 43 is not clear, however. Section 63 establishes the right of parties to request the appointment of an adjudicator to review the Information and Privacy Commissioner's decisions to sever or withhold records. Section 63(1) requires the parties to deliver their written requests to the minister responsible for the Act (currently the Minister of Employment and Investment). [Please note: as per Order-in-Council 177-98, 11, the Minister of the newly appointed Ministry of Advanced Education, Training and Technology has now been charged with the administration of the Freedom of Information and Protection of Privacy Act and all other heretofore provisions in previous orders charging another member of the Executive Council with the administration of that Act are recinded.] Experience to date with the section 43 process shows that relatively fast decision-making is required, given the stresses imposed on the public body by an applicant's repetitious or systematic requests.

The usual appointment of adjudicators takes place after a review by the Minister of Employment and Investment. The Minister then contacts the Office of the Chief Justice of the Supreme Court to request that an adjudicator be appointed. Adjudication proceedings may take months to proceed from the Minister to the Office of the Chief Justice.

I therefore recommend that where the Information and Privacy Commissioner requests relief from repetitious or systematic requests under section 43, the Commissioner be permitted to apply directly to the Registrar of the Supreme Court of British Columbia to request appointment of an adjudicator. The following proposed addition to section 63 would resolve this issue:

63(4) Where the commissioner as head of a public body requests an authorization to disregard requests for records under section 43, the commissioner may apply to the Registrar of the Supreme Court to request appointment of an adjudicator.

Interim orders

Section 58 does not expressly provide for the Commissioner to issue interim Orders where he or she wishes to retain jurisdiction to consider subsequent issues arising from the same request and review.

The need for interim order-making power arose recently in two inquiries. In Order No. 158-1997 (Workers Compensation Board of British Columbia, April 10, 1997) and Order No. 186-1997 (Public Service Employee Relations Commission, August 20, 1997), I found that the public bodies had not properly reviewed and severed records in response to requests for records. The public bodies were ordered to review and sever records and then to provide the office of the Commissioner with the severed versions of the records. In the two Orders, I "retained jurisdiction" over the issues until completion of the severing. See also Order No. 115-1996, August 23,1996, where the Order did not conclude the inquiry process.

Section 58 should permit the Commissioner to make interim Orders that compel a public body to do or not do something, pending final determination of the issue by the Commissioner in the continuation of the inquiry. This will avoid the anomalous situation of sending applicants back to the beginning of the 90-day review line if they must request a new review of the severing of records that a public body should have done in the first place.

6. Part 6 of the Act: General Provisions

Addition of new public bodies: section 76

Section 76(2) should be changed to add an amending formula similar to the Ombudsman Act for adding new public bodies. The Ombudsman Act states that if a majority of a board of directors is appointed by the government, then it is covered by the Ombudsman Act. This amendment would keep Schedule 2 current, without having to wait for a change by Order in Council.

Sections 76(3) and 76(4) should also be amended to ensure that the Lieutenant Governor in Council routinely adds new public bodies to the Schedules 2 and 3 lists of public bodies and self-governing professional bodies.

Review of the Act: section 80

It will be evident to the Special Committee, from the range of submissions it is receiving, that the implementation of a complex Act is still being fine tuned. Thus I would urge you to amend section 80 to require the startup of another comprehensive review by a Special Committee of the Legislative Assembly by October 4, 2002.

7. Regulation 3(b)

Regulation 3 should be amended to authorize a person acting for a minor to authorize the disclosure of personal information under section 33(b). It was presumably an oversight not to have specified this in the original Regulation. At present, such representatives have to obtain the information and then pass it on.

[Return to Table of Contents]


Appendix B: Comparison of Fair Information Practices

Freedom of Information and Protection of Privacy Act
and the
European Union Directive 95/../EC ...on the protection of individuals with regard to the
processing of personal data and the free movement of such data

and the
Canadian Standards Association Model Code for the Protection of Personal Information

(*) asterisk denotes strongest provision

Subject

FOIPP Act
[RSBC 1996]

European Union Directive

CSA Model Code

Goals / Objectives

Protect personal information by giving public a right of access to their personal information, the ability to correct that information and prevention of unauthorized use of disclosure of personal information.

*...protect the fundamental rights and freedoms of natural persons, and in particular their right part to privacy, with respect to the processing of personal data.

The objective of this standard is to assist organizations in developing and implementing policies and practices to be used when managing personal information.

Definition of "personal information"

* Personal information is defined as recorded information about an identifiable individual, including their name, address, phone number, race, national or ethnic origin, colour, religious or political beliefs or associations, age sex, sexual orientation, marital status or family status , identifying numbers, symbols or other particular assigned to the individual, fingerprints, blood type or inheritable characteristics, information about the individual's health care history, physical or mental disability, educational, financial, criminal or employment history, anyone else's opinions about the individual, and the individual's personal views or opinions, except if they are about someone else.

"personal data" means any information to an identified or identifiable natural persons (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

(See Article 2 Definitions)

"Personal information" about an identifiable individual that is recorded in any form.

(See c 2.1 Definitions)

Definition of "record"

* Includes books, documents, maps, drawings, photographs, letters, vouchers, papers and any other thing on which information is recorded or stored by graphic electronic, mechanical or other means, but does not include a computer program or any other mechanism that produces records.

No specific definition of record but Directive applies to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

No specific definition of record but definition can be surmised from that of `personal information' recorded in any form.

(See c 2.1 Definitions)

Definition of "personal information bank"

"Personal information bank" means a collection of personal information that is organized or retrievable by the name of an individual or by an identifying number, symbol or other particular assigned to an individual.

* "Personal data filing system" (filing system) is any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis. (See Article 2 Definitions)

No definition of personal data bank

Purpose for which personal information may be collected

The collection must be expressly authorized by or under an Act - information is collected for the purposes of law enforcement, or - information relates directly to and is necessary for an operating program or activity of the public body.

(See s. 26)

* Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes...adequate, relevant and not excessive in relation to the purposes for which they are collected and/or for which they are further processed

(See Article 6.1(a)(b)(c))

Organizations shall not collect personal information indiscriminately and both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified. Organizations should specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle. The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected.
(See Principle 4)

How personal information is to be collected

A public body must collect personal information directly from the individual the information is about unless: -another method of collection is authorized by that individual, the commissioner or another enactment; -the information may be disclosed to the public body under sections 33 to 36; -the information is collected for the purpose of determining suitability for an honour or award, a proceeding before a court or tribunal, collecting a debt or fine or making a payment or law enforcement.

(See s. 27)

Personal data may be processed only if the data subject has given his consent unambiguously; or in compliance with a legal obligation (including a contract) to which the controller or data subject is bound. Reasonable steps must be taken to ensure that data is accurate and, where necessary, kept up to date. Information should not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes of collection. (See also "Notice of Collection" below) Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life except as allowed in Article 8

(See Article 8)

* Knowledge and consent of the individual are required for the collection except where this is inappropriate (legal, medical, security reasons may make it impossible or impractical). To make consent meaningful, the purposes must be stated in a reasonably understandable manner. Consent shall never be obtained through deception. Express consent should always be obtained for sensitive information. An organization may not require an individual to consent to collection, use or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purpose. Purpose for collection must be identified at or before the time the information is collected to the individual from whom the personal information is collected. This should be done either orally or in writing.

(See Principle 3)

Notice of collection

A public body must tell an individual from whom it collects personal information the purpose for collecting it, the legal authority for collecting it and the title, business address and business telephone number of an officer or employee of the public body who can answer the individual's questions about the collection. This notice is not required if the information is about a law enforcement matter or the Minister responsible for the FOIPP Act excuses a public body from complying with it because doing so would result in the collection of inaccurate information or defeat the purpose or prejudice the use for which the information is collected. (See s. 27)

* In cases where personal information is being processed the controller must provide the data subject from whom data relating to himself are collected with at least the following information, except where already known: -the identity of the controller and/or of his representative - the purposes of the processing for which the data are intended -any further information such as the recipients or categories of recipients of the data, whether replies to the questions are obligatory or voluntary, as well as the possible consequences -the existence of the right of access to and the right to rectify the data concerning him. This does not apply to processing for statistical purposes or for the purpose of historical or scientific research, or where the provision of information proves impossible or where disclosure is prohibited by law. (See Articles 10 and 11)

Member States shall provide that the controller must notify the supervisory authority referred to in Article 28 before carrying out any wholly or partly automatic processing. Exceptions are provided to this rule under conditions where the processing of data is unlikely to adversely affect the rights and freedoms of data subjects. (See Article 18 or Article 19 for contents of notification to supervisory authority) Member States shall determine the processing operations likely to present specific risks for the rights and freedoms of data subjects and shall check that these operations that these operations are examined prior to the start thereof. Measures shall be taken to ensure that processing operations are publicized and that a register of such operations is kept and made available to any person. (See Articles 20 and 21)

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals should be able to acquire information about an organization's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable. The information made available shall include:

-the name and address of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded -the means of gaining access to personal information held by the organization -a description of the type of information held by the organization, including a general account of its use -a copy of any brochures that explains the organization's policies and codes -what personal information is made available to related organizations (e.g., subsidiaries). (See Principle 8, c 4.8)

Accuracy of personal information

If an individual's personal information will be used by a public body to make a decision that directly affects the individual, the public body must make every reasonable effort to ensure that the information is accurate and complete. (See s. 28)

Personal data must be accurate, and where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed are erased (See Article 6(1)(d))

* Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used. The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual. An organization should not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected. Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

(See Principle 6)

Right to request correction of personal information

An applicant who believes there is an error or omission in his or her personal information may request the head of the public body that has the information in its custody or under its control to correct the information. If no correction is made in response to this request, the public body must annotate the information with the correction that was requested but not made. On correcting or annotating the personal information under this section, the public body must notify any other public body or any third party to whom that information has been disclosed during the one year period before the correction was requested. (See s. 29)

* Data subjects must be told of their right to access their personal information and of their right to rectify the data concerning them. Member States shall guarantee for every data subject the right to obtain from the controller rectification, erasure or blocking of data, the processing of which does not comply with this Directive, in particular because of the incomplete or inaccurate nature of the data. Notification to third parties to whom the data has been disclosed of any rectification, erasure or blocking carried out in compliance with the above requirements unless this proves impossible or involves a disproportionate effort.

(See Articles 10, 11 and 12)

When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending on the nature of the information challenged, amendment involves the correction, deletion or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question. When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge should be recorded by the organization. When appropriate the existence of the unresolved challenge should be transmitted to third parties having access to the information in question.

(See Principle 9)

Protection of Personal Information

Public bodies must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal. (See s. 30)

* Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss and against unauthorized alteration, disclosure or access in particular where the processing involves the transmission of data over a network. Having regard to the state of the art and the costs of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Controllers must provide sufficient guarantees in respect of the technical security measures and organizational measures and must ensure compliance with those measures. The carrying out of the processing must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: -the processor shall act only on instructions from the controller -these obligations shall be incumbent on the processor. If processing would involve a data transfer to a third country, the adequacy of the level of protection afforded by that country shall be assessed in the light of all the circumstances surrounding it; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing, the country of origin and the country of final destination, and the rules of law and the professional rules and security measures which are in force and complied with in those countries. (See Article 25 and 26)

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosures, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The methods of protection should include: a) physical measures, for example, locked in cabinets and restricted access to offices; b) organizational measures, for example, security clearances and limited access on a "need-to-know" basis and c) technological measures, for example the use of passwords and encryption. Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information. Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information. (See Principle 7)

Retention of personal information

If a public body uses an individual's personal information to make a decision that directly affects the individual, the public body must retain that information for at least one year after using it so that the individual has a reasonable opportunity to obtain access to it. (See s. 31)

Member States shall provide that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or which they are further processed Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (See Article 6 (d) and (e))

* Organizations should develop guidelines which provide minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods. (See Principle 5)

Destruction of personal information

No clause--destruction controlled by other statutes such as the Document Disposal Act.

* Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the collected purposes. Data which are inaccurate, incomplete or stored in a way incompatible with legitimate purposes shall be erased, rectified or blocked.

See Article 6 and 32)

Personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous. Organizations should develop guidelines and implement procedures to govern the destruction of personal information. (See Principle 5, c. (4.5.3)

Use of personal information

* A public body may use personal information only for the purpose for which that information was obtained or compiled or for a use consistent with that purpose; if the individual the information is about has identified the information and has consented, in the prescribed manner, to the use or for a purpose for which that information may be disclosed to that public body under sections 33 to 36. (see s. 32)

The Directive does not refer to "use" of personal information; rather the term is "processing of personal data" and means any operation or set of operations which is performed upon personal data, whether or not by automatic means. Controllers must ensure that the information is only processed in a way compatible with the original purpose for which it was collected.(See Article 6 and 7) Member grant the right to every States shall person not to be subject to a decision which produces legal effects concerning him or significantly affects him based solely on automated processing of data intended to evaluate certain personal aspects relating to him. ( See Article 15) When personal information is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose. (See Principle2, c. 4.2.4)
Organizations using personal information for a new purpose shall document this purpose in order to comply with the Openness principle. (See Principle 3, c. 4.4)

Disclosure of personal information

* A public body may disclose information only: -in accordance with Part 2 -if the individual the information is about has identified and consented to its disclosure -for the purpose for which it was obtained or compiled or for a use consistent with this purpose -for the purpose of complying with an enactment of, with a treaty, made under an enactment of BC or Canada -for purpose of complying with a subpoena, warrant or order -to an officer or employee of the public body if the information is necessary for the performance of the duties of, or for the protection of the health and safety of the officer or employee -to the AG for use in civil proceedings or actions under the Coroners Act -for collecting a debt or making a payment owed or owing to government -to a MLA whom the individual has asked for assistance -to the Auditor General for audit purposes -to BC Archives for archival purposes -to a law enforcement agency -if there are compelling circumstances that affect anyone's health and safety -so the next of kin or a friend of an injured ill, or deceased individual may be contacted -as part of a research agreement. (See s. 33)

The data subject shall be notified at the time of collection the recipients or categories of recipients of the data. (See Articles 10 and 11) In addition, controllers shall specify to the supervisory authority the recipients or categories of recipient to whom the data might or be disclosed and any proposed transfers of data to third countries. (See Article 19) The data subject is granted the right to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses. (See Article 14) The controller must implement appropriate technical and organization measures to protect personal data against accidental or unauthorized disclosure. (See Article 17)

Personal information shall not be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law. (See Principle 5)

Definition of consistent purpose

If the use has a reasonable and direct connection to the original purpose for which it was collected and is necessary for performing the statutory duties of, or for operating a legally authorized program of, the public body that uses or discloses the information. (See s. 34)

* Personal data must be collected for specified, explicit and legitimate purposes only and not further processed in a way incompatible with those purposes.(See Article 6(1)(b))

When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use.( See Principle 2, c.4.2.4)

Data Subject's right to object to the use of the information

* Appeal to the Information and Privacy Commissioner.

Data subject can object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where either is a justified objection, the processing instigated by the controller may no longer involve those data; Data subject can also object to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing. (See Article 14)

An individual shall be able to address a challenge concerning compliance with the CSA Code to the designated individual or individual's accountable for the organization's compliance. Organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint process should be easily accessible and simple to use. Organizations shall inform individuals who make inquires or lodge complaints of the existence of relevant complaint mechanism. A range of these mechanisms may exist. An organization shall investigate all complaints. If a complaint is found to be justified through either the internal or external complaint review process, the organization shall take appropriate measures.
(See Principle 10)

Penalties and Sanctions

The Commissioner may authorize a public body to disregard requests from an applicant that, because of their repetitious or systematic nature, would unreasonably interfere with the operations of the public body. (See s. 43) A person must not willfully do any of the following: - make a false statement to, or mislead or attempt to mislead, the commissioner or another person in the performance of the duties, powers or functions of the commissioner or other person under this Act; - obstruct the commissioner... - fail to comply with an order made by the commissioner under s. 58 or by an adjudicator under s. 65(2). A person who contravenes these rules is liable to a fine... (See s. 74)

* Without prejudice to any administrative remedy for which provision may be made, Member States shall provide for the right of every person to a judicial remedy for any breach of rights guaranteed him by the national law applicable to the processing in question. (See Article 22) Any person who has suffered damage as a result of unlawful processing or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered. (See Article 23) Suitable measures shall be adopted to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions. (See Article 24)

Self-regulatory and voluntary code developed for private sector. Three levels of registration by the Canadian Standards Association which performs audits of privacy practices.

Appendix B Prepared by: Mary Carlson, Portfolio Officer
Jason Young, Research Officer
Office of the Information and Privacy Commissioner of B.C.
February 3, 1998

[Return to Table of Contents]


[1] Information Commissioner of Canada, Annual Report, 1995-1996, page 3.

[Return to Body Text]

[2] Information Commissioner of Canada, Annual Report, 1995-1996, page 8.

[Return to Body Text]

[3] Privacy Commissioner of Canada, Annual Report, 1995-1996, page 2.

[Return to Body Text]

[4] Privacy Commissioner of Canada, Annual Report, 1995-1996, page 1.

[Return to Body Text]