David H. Flaherty
Information and Privacy Commissioner
for British Columbia
Four-Year Review of the
Freedom of Information and Protection of Privacy Act
Special Committee of the Legislative Assembly of
February 24, 1998
|A Message from the Commissioner|
|1.||Keeping Access to Information Rights Intact|
|2.||Legislative Developments in Other Jurisdictions|
|3.||Keeping Access to Records Affordable|
|4.||Dealing with Frivolous and Vexatious Requests: Section 43|
|5.||Preventing Inquiries in Certain Limited Circumstances under the Act: Section 56|
|6.||Authorizing the Information and Privacy Commissioner to Delegate Order-Making Power: Section 49|
|7.||Extending the Act to the Legislative Assembly|
|8.||Extending the Coverage of the Act to the RCMP when it is Acting as a Provincial and Municipal Policing Agency|
|9.||Strengthening Privacy Rights in the Public Sector: Part 3 of the Act|
|10.||Strengthening Privacy Rights in the Private Sector|
|11.||Improving the Credit Reporting Act, R.S.B.C. 1996, c. 81|
|12.||The Privatization and Contracting-Out of Government Services|
|A.||Additional Proposed Amendments To The Freedom Of Information And Protection Of Privacy Act|
|B.||A Comparison of Fair Information Practices: B.C., The European Union, and the CSA Code|
The Act is, without any doubt, one of the greatest legislative contributions
made by this House in its term from 1991 to 1996. It is worth recalling that in
an otherwise partisan atmosphere, the Act was passed with all-party support and
a unanimous vote. I also recognize that it is one thing to enact such
unconventional legislation; being the first Government in this province to live
with the Act is another matter, as we all know.
The Act has been hailed by privacy specialists and civil libertarians as the
most progressive legislation of its kind in the world. I heartily concur in this
praise for the work of the House, and caution this Special Committee against
changes to the Act based on misinformation or short-term and transitory
considerations. Rather, I believe that amendments to the Act must be based on
experience, evidence, systematic analysis, and consideration of the needs of
British Columbians in the years to come.
For the last four years, my staff and I have worked closely with many British
Columbians in the administration of the Act. We conclude that the Act is working
very well. However, our experience has taught us that certain technical matters
need to be addressed. Furthermore, in light of anticipated new challenges both
to users of information and to privacy rights, and due to legislative
developments elsewhere, we recommend that the scope of the Act be broadened in
Since 1993, my office has become a model centre for alternative dispute
resolution, commonly known as "ADR." We have successfully mediated ninety-three
percent of the nearly 3,500 requests for review and privacy complaints received
from individual citizens, businesses, non-profit organizations, media groups,
environmental groups, business organizations, political parties, unions, and
researchers. We have provided policy advice, commented on proposed legislative
schemes, engaged in public education, issued investigative reports on systemic
problems, and conducted site visits to a large number of public bodies.
The Act gives the Information and Privacy Commissioner the power to receive
comments from the public concerning the administration of the Act. This has
given my office the benefit of observing, from an intermediary and impartial
position, how the public perceives the legislation. My general perception is
that the Act has carefully balanced the right of access to information in
records against the rights of confidentiality for general information and
privacy for personal information. As an impartial intermediary and adjudicator,
my office is well positioned to provide authoritative comment on the Act, such
as highlighting particular areas of concern and proposing new directions for the
expansion of information and privacy rights for the benefit of all British
Columbians, whether their records are in the custody of government or the
Finally, my office's submission canvasses several major access and privacy
issues. In this respect, I have two major goals: to defend the existing Act and
to recommend its expansion and improvement in critical places. In addition, my
office has prepared an appendix to this paper, which proposes a number of both
substantive and technical amendments to the Act. The proposed amendments arise
from my office's experience over the past four years with the application of
this complex, yet well-written, piece of legislation. In my opinion, the
proposed amendments which follow will make a very good law even better.
In conclusion, may I point out that my discussion of proposed amendments is
condensed. My colleagues and I will be very pleased to elaborate on any points,
either orally or in writing, during the course of the Special Committee's
[Return to Table of Contents]
My sense is that the Act has been under attack from both old and new critics
since the 1996 provincial election. The Government has been embarrassed on
occasion, on large and small issues, when public bodies have disclosed records
in response to requests under the Act. Senior government officials have
complained that they were no longer free to give candid advice to their
political masters, because of the risks of disclosure of what they write in
briefing notes. It is as if the argument is being made that government is being
undermined by too much democracy.
A fundamental component of any progressive, liberal democratic society should
be an open, accountable, transparent government at all levels of society. Public
bodies are custodians of vast stores of information with which they seek to
influence, for better or worse, the quality of life of each resident of the
province. Access to government records therefore must be a right of
citizens and not simply perceived as a gift from a passing leadership or a
particular political party.
In his last annual report, the highly-experienced federal
Information Commissioner, John Grace, stated: "No society can be truly
democratic if its citizens must be satisfied with the information fed to them by
their leaders." Yet a
senior public servant in this province said to me that the public's right to
know was limited to what it could ask for through its elected representatives.
When I countered that this sounded too much like the BBC-TV series Yes,
Minister, I heard unabashed acclaim for Sir Humphrey as an outstanding
This resistance to openness characterized the state of affairs in British
Columbia before the enactment of the Freedom of Information and Protection of
Privacy Act. Prior to 1993, British Columbians did not have a right at
common law to request government records outside the scope of court actions
involving government bodies. Access to information depended largely on the good
will of the government agency holding the records, and there were no oversight
mechanisms to assess whether all the records had been accounted for. With the
proclamation of the Act in 1993, there is now a clear set of rules conferring a
statutory right of access to any and all records in the custody or
control of a public body, unless those records fall under one of eleven
"exceptions" to the right of disclosure. Thus the Act is gradually eroding the
resistance to transparency and promoting a culture of openness.
"Public body" has been broadly defined under the Act to include all
ministries, Crown corporations, municipal and local governments, hospitals,
schools, universities, municipal police departments, health boards and
self-governing professions such as the Law Society and the College of Physicians
and Surgeons. The Legislature has determined that this broad scope is fully
The right of access to records is limited if the information in a record
falls under one of the "exceptions" in the Act. Exceptions are determined by
either a "harms test" or a "class test." Thus, information which, if disclosed,
would cause certain categories of "harm" may be withheld. For example, law
enforcement information may be withheld under this test if disclosure would harm
an ongoing law enforcement investigation. "Class test" exceptions identify
discrete categories of information; for example, legal or policy advice.
Information that falls within one of these exceptions does not require an
assessment of "harm" in order to be withheld. In class-based exceptions, the
harm that would be caused by disclosure is presupposed.
In theory, all discretionary exceptions should be given the narrowest
application possible. They should be designed to protect only that information
which must or should be kept secret for the public body to properly conduct its
affairs. All other information, if requested, should be made available.
In my opinion, the eleven exceptions in the Freedom of Information and
Protection of Privacy Act are sufficiently broad to allow public bodies to
operate in a "zone of confidentiality," where necessary in the public interest.
Indeed, in my view, some of the exceptions are overly broad. From an
accountability perspective, it is unnecessary and undesirable for these
exceptions to be increased in scope or in number. Such amendments would deny
access to information formerly available for inspection. Furthermore, I submit
it is in the public interest to consider narrowing some of the exceptions
that are already in place or changing some of the current class-based
exceptions to harms-based exceptions. British Columbians continue to demand more
open and accountable government. Widening the curtain behind which information
can be withheld would be an unfortunate move.
In short, access to information and the protection of privacy are fundamental
democratic and human rights in a free society, as our Act has already
recognized. In my opinion, the Legislative Assembly of British Columbia should
do everything in its power to ensure the continuation, extension, and
strengthening of these rights during its review of the Act.
[Return to Table of Contents]
I find further support for freedom of information, in particular, in the
December 1997, White Paper of the UK government with respect to its proposals
for a Freedom of Information Act, and I would like to draw the attention
of the Special Committee to this important development:
This White Paper marks a watershed in the relationship between the
government and people of the United Kingdom. At last there is a government
ready to trust the people with a legal right to information. This right is
central to a mature democracy. [The Chancellor of the Duchy of Lancaster]
Unnecessary secrecy in government leads to arrogance in governance and
defective decision-making. The perception of excessive secrecy has become a
corrosive influence in the decline of public confidence in government.
Moreover, the climate of public opinion has changed: people expect much
greater openness and accountability from government than they used to.
The British White Paper, for example, proposes a "substantial harm test" that
may be worthy of emulation in this province:
3.7 We believe the test to determine whether disclosure is to be refused
should normally be set in specific and demanding terms. We therefore propose
to move in most areas from a simple harm test to a substantial harm test,
namely will the disclosure of this information cause substantial
[Return to Table of Contents]
The Government of British Columbia made a decision early on to keep access to
records affordable under the Freedom of Information and Protection of Privacy
Act. This has resulted in an enthusiastic use of the Act by ordinary British
Columbians to obtain access to both general and personal information. The Act,
as it is currently written, permits public bodies to charge reasonable fees for
access to general information. It is only recently that more of them have begun
making use of fee estimates under section 75 of the Act to
recover some of the costs of processing requests for records. Individuals may be
charged a fee for locating, retrieving, and producing the record, preparing it
for disclosure, and for photocopying, shipping, and handling it. Commercial
applicants can be charged the actual cost of processing the request. As it
stands today, there is no charge for actually making the request, a condition
that I strongly favour in an open and accountable system of democratic
One of the most common complaints of public bodies is that, in these times of
fiscal restraint, resources devoted to administering the Freedom of
Information and Protection of Privacy Act are "wasted." This claim ignores
the economic and other benefits which accrue to the public through open
government. As John Grace has said about the federal Access to Information
The benefits of this law, in fact are tangible and
profound. Courtesy of the right to know, there is greater responsibility,
honesty, frugality, integrity, better advice and more selfless decision-making.
Every exposure, as a result of an access request, of abuse of power, excessive
perks and privileges or just plain silliness, serves the public purse and the
public interest. The modest cost of administering access rights...is by any
honest measure a bargain.
My office has always sought and promoted cost-effective, pragmatic, and
functional solutions to the access and privacy problems that face both public
bodies and ourselves. However, my concern over any possible increases in user
fees is that they will only further restrict access to information by the
public and deter legitimate requests for information. This does not promote the
principle of accountable government. Rather, it creates a two-tier class system
whereby those with the financial resources can access information, and those
without financial resources are left out. Governments should be accountable to
all British Columbians, not only to those who have the resources to pay for
access to information. Further, those with the least resources to pay may even
have a greater interest in accessing information held by government,
since, by reason of their situation, they are often subjected to greater
government scrutiny than those with the resources to exercise their rights
In my office's experience, some applicants are discouraged and abandon their requests once they receive a fee estimate because they are unable to muster the resources to pay. I share the belief of my federal counterpart, John Grace, that some of the costs of administering the Freedom of Information and Protection of Privacy Act could be reduced without the need to impose fees.
Request-processing within some public bodies is sometimes unwieldy and
requires consideration, debate, and sign-off by various managers at several
different levels of the organization. Some public bodies resist the delegation
of authority in the processing of requests. Furthermore, high search costs
associated with many requests are often the result of inadequate records
management and not the request itself. In such cases, applicants may be
penalized for substandard record-keeping, which inflates the time spent
searching for records. It is not fair that an applicant should be required to
pay for these extra costs.
[Return to Table of Contents]
4. Dealing with Frivolous and Vexatious Requests: Section 43As
Information and Privacy Commissioner, I have dealt with a small number of
applicants whose repetitive and systematic requests collectively have cost
public bodies considerable amounts of money and have consumed personnel and
equipment which could be used more productively to promote the goals of the Act.
Section 43 of the Act
addresses this problem. To date, I have authorized public bodies to disregard
requests from approximately twelve of these applicants pursuant to section 43. In my view,
the actions of these and other applicants have driven up the costs of access to
information incurred by certain public bodies and have brought the
administration of the Act into disrepute in some sectors of government. One
applicant, for example, has had over 75 reviews, privacy complaints, and other
files before my office, resulting in considerable cost to a number of public
bodies and my office. I believe that I need greater authority to deter such
abuses of the Act.
Section 43 should be
revised to address these concerns. I recommend the following wording:
43. If the head of a public body asks, the commissioner may authorize the
public body to disregard requests under sections 5 and 29 that
(b) are frivolous, vexatious or not made in good faith.
This amendment would allow me to authorize public bodies to disregard
repetitious or systematic requests for information under section 5 and for the
correction of personal information under section 29. It would also
allow me to authorize public bodies to disregard requests made under these
sections where such requests, although not systematic or repetitious, are
frivolous, vexatious, or not made in good faith Of course, the same standard
should apply with respect to both section 5 and 29 requests: that is that
they interfere unreasonably with the operations of the public body.
[Return to Table of Contents]
Part 5 of the Act should be amended to remove such an automatic right
to a formal inquiry by the Information and Privacy Commissioner under section 56. For example, a
substantial number of the Commissioner's Orders have dealt with allegations of
inadequate searches by public bodies, in circumstances where a reasonable person
would likely conclude that the public bodies had made every reasonable effort to
search for allegedly missing records.
I recommend that a new provision be added to section 56 as follows:
56(1.1) Notwithstanding section (1), the commissioner may refuse to
conduct an inquiry where in the commissioner's opinion
(b) the applicant's request for review is frivolous, vexatious, or not
made in good faith, or
(c) the applicant has abused his or her rights under the Act by bringing
requests for review that are of a repetitious or systematic nature and that
have unreasonably interfered with the operations and responsibilities of the
Information and Privacy Commissioner under the Act.
[Return to Table of Contents]
I also recommend that under section 49(1)(b), the
Commissioner should be able to delegate the power to inspect records that
contain section 12
(Cabinet Confidences) and section 15 (Law
Enforcement) information. This would make for an easier distinction in my office
between the mediation phase and a formal inquiry. Portfolio Officers need to be
able to see all records in order to efficiently and effectively mediate a
[Return to Table of Contents]
The Act currently covers the executive branch of government, leaving the
legislative branch outside the scope of access and privacy rights. In relation
to requests for records from the public, I believe that the Act should apply to
administrative records in the custody and control of the offices of Members of
the Legislative Assembly. The principle is the same in both branches of
government: accountability for the expenditure of public funds.
The administrative operations of the Legislative Assembly itself should also
be fully covered by the Act. I recommend that the definition of "public body" in
the Act be extended to apply to the administrative operations of the Legislative
Assembly, including the Offices of the Speaker, the Clerk, the Legislative
Comptroller, the Sergeant-at-Arms, Hansard, and the Legislative Library.
Part 3 of the Act also should apply to the offices of Members of the
Legislative Assembly, as it does to the Officers of the Legislative Assembly.
Part 3 contains the "Code of Fair Information Practices" that governs the
collection, use, disclosure and retention of personal information. Individual
employees and Members of the Legislative Assembly should have the same statutory
rights of privacy protection, as set out in Part 3, that other public servants
enjoy. This means that both Part 2 (access to records) and Part 3 (protection of
personal information) of the Act should apply to the administrative operations
of the Legislative Assembly.
[Return to Table of Contents]
At present, only the twelve municipal police forces in British Columbia are
covered by the Act. The Royal Canadian Mounted Police, functioning as a
provincial or municipal police force, is under the aegis of the federal
Privacy Act, which is an older and more restrictive piece of legislation.
For example, section 8(2)(m) of the federal Privacy Act makes it harder
than under the provincial Act to release personal information that is clearly in
the public interest, such as in the case of predatory sex offenders. Moreover,
the federal Privacy Commissioner has limited financial and personnel resources
when it comes to detailed, daily work on information and privacy issues with the
RCMP in this province. In contrast, the BC Commissioner has explicit auditing
power over all public bodies, which I exercise in the form of site visits in
particular. Thus, I actually go to municipal police forces for site visits that
are useful in raising consciousness about fair information practices among law
enforcement personnel. I have conducted site visits to both the Vancouver and
Victoria police departments on several occasions. There are also related
problems evolving out of the different ways in which the respective police
forces function, bureaucratically, with respect to notifications to the public
about the presence of sexual offenders in the community who pose a serious risk.
In short, residents of this province have stronger and, arguably, more
meaningful disclosure and privacy rights under the provincial Act than under the
equivalent federal privacy legislation. Thus, B.C. residents face a confusing
and uneven blanket of access and privacy rights in this area. It is my
considered opinion that in performing provincial and municipal policing, in
particular under contract to the province, the RCMP should fall within the scope
of the British Columbia Freedom of Information and Protection of Privacy
It is my goal, wherever possible, to ensure that the people of British
Columbia enjoy the greatest access rights and the highest possible protection
for their personal information, regardless of jurisdictional and constitutional
divisions of authority in the law enforcement field. Coherence and transparency,
as well as a desire to provide rights to British Columbians, militate in favour
of such a step.
[Return to Table of Contents]
My office has prepared an enlightening table that compares the B.C. Act, the
European Union's Directive on Data Protection, and the Model Privacy Code of the
Canadian Standards Association (CSA). All of the member nations of the European
Union, including the United Kingdom, are currently revising their data
protection (privacy) laws to ensure that they meet the standards set out in the
Directive. The Directive is the latest word on European privacy protection and
thus a standard that Canadians and British Columbians will be expected to meet,
if our companies and organizations are exchanging personal data with the
Based on Appendix B, it is clear that the B.C. Freedom of Information and
Protection of Privacy Act fares well by national and international
standards. In the table an asterisk marks the provision that offers the
strongest protections for personal privacy. What the Special Committee should
note, in particular, are the categories where the B.C. Freedom of Information
and Protection of Privacy Act is, in our judgment, weaker than the European
Directive. These categories include:
In our judgment, the CSA Code also has stronger provisions than either the
European Directive or the B.C. Act with respect to:
Thus, by other recognized standards, there is clearly a need to enhance the
existing privacy protections available to British Columbians under the Act.
[Return to Table of Contents]
The federal Parliament and the Legislature of British Columbia also, should
extend the statutory privacy rights of individuals to the private sector.
British Columbians must have the tools to ensure the protection of their
personal information into the next century. I am referring in particular to the
appropriate collection, use, disclosure, and retention of personal information
by private sector organizations and companies not currently covered by the
Freedom of Information and Protection of Privacy Act.
Such entities include telephone companies, banks and trust companies, credit
unions, employer associations, labour unions, transportation and
telecommunications companies, large and small retailers, grocery stores,
pharmacies, direct marketers, telemarketers, insurance companies and brokers,
physicians, dentists, lawyers, accountants, therapists, physiologists, travel
agencies, charitable organizations, associations, churches, hotels, investment
dealers, and video rental shops.
I realize, of course, that the federal government has sole jurisdiction over
some of these entities, but I present such a long list to show the Special
Committee the extent to which, with the exception of Quebec, the private sector
in Canada is almost completely unregulated, except by market forces, in relation
to the use and re-use of personal information. Quebec has had legislation in
place mandating fair information practices for the private sector since January
1, 1994. Every member country of the European Union has similar legislation in
place, as do New Zealand, Hong Kong, and Hungary.
When the European Union's Directive on Data Protection comes into effect in
the fall of 1998, Canadian companies and organizations will be unable to
transfer personal information about customers, members, or employees in or out
of the European Union, because Canada and most of its provinces do not have
adequate or equivalent data protection legislation in place. While I am aware
that contractual arrangements may be available as a second level solution, it is
embarrassing that Canada has weaker protections for privacy as a human right
than member states of the European Union. As a British Columbian, with such
superb legislation already covering the public sector, the contrast is even more
disturbing. B.C. should again take a leadership role in this area.
As a fundamental human right, privacy requires explicit legislative
protection. Some segments of the private sector continue to insist that market
forces and self-regulation are sufficient to protect the interests of consumers.
The Canadian Bankers' Association (CBA) has a model privacy code for its
members. Similarly, the Canadian Direct Marketing Association (CDMA) has a
privacy code for its member organizations. However, none of these codes has the
force of law, which is the goal of most privacy advocates. Even the CDMA has
supported the call for legislation for the federally-regulated private
I applaud the voluntary efforts these groups have made, especially the
Canadian Standards Association's Model Code for the Protection of Personal
Information, promulgated in 1996 on the basis of several years of
consultation. I strongly urge every "private sector" organization in the
province to subscribe to it and to customize its general rules to their
particular business and organizational activities. My office continues to offer
assistance and guidance for these purposes. However, stronger controls are
necessary, a fact that the federal government has already recognized.
In September 1996, the Minister of Justice, then the Honourable Allan Rock,
addressed the Eighteenth International Conference on Privacy and Data Protection
in Ottawa. The Minister clarified the Government of Canada's commitment to
privacy rights in the federally-regulated private sector:
...[T]he field of privacy is governed by laws created at both the
provincial and national levels. Because we in this country work in a federal
system, we at the national level must work in concert with our provincial and
territorial counterparts in order to achieve change....
Although I agree with Allan Rock's statements, the amount of personal
information in the private sector under the control of the federal government is
quite limited. Therefore, I strongly recommend that the Government of British
Columbia introduce legislated privacy rights for the protection of personal
information in the custody or under the control of non-government bodies in
[Return to Table of Contents]
The Credit Reporting Act, R.S.B.C. 1996, c. 81, establishes
minimum requirements for credit reporting agencies (primarily credit bureaus)
operating in the Province of British Columbia. These requirements include
privacy protection provisions regarding disclosure and content of credit reports
and a process for individuals to have access to and correct their credit
information. These provisions may not, however, meet the current standard for
fair information practices established in Part 3 of the Freedom of
Information and Protection of Privacy Act and, therefore, should now be
updated. Also, I believe the ultimate responsibility for overseeing the privacy
practices of credit bureaus should be transferred from the Ministry of Attorney
General to the Office of the Information and Privacy Commissioner, as has been
the case in Quebec since 1994. This should accompany the extension of the Act to
the private sector.
[Return to Table of Contents]
During times of fiscal restraint, the privatization of government services is
often seen as a reasonable cost-saving measure. However, the federal Privacy
Commissioner has expressed concern about the negative consequences of
privatization on privacy. According to Bruce Phillips:
Commissioner Phillips considers the privatization of federal government data
banks to be "a privacy disaster:"
My view is that where governments privatize services that ministries and
Crown corporations previously had provided, fundamental access to records and
protection of privacy rights may be minimized or lost for both the public and
employees. Government should examine ways of transferring these rights in the
Act to any newly-privatized entity, just as successor rights apply in the labour
The current trend toward contracting-out the management of government data is
also growing. Any government data banks containing personal information could
feasibly be targeted for this purpose. This could include medical records,
social services records, property assessment records, educational records, and
driving records. For example, the government of British Columbia is now in the
process of contracting-out the management of BC Online, which accesses the
Assessment Roll, the Land Title Registry, the Corporate Registry, and the
Personal Property Registry. British Columbians should have the right to expect
the same standards and respect for their access and privacy rights regardless of
whether the information resides in a Ministry file or within the computer
network of a private contractor who has been hired to manage that data.
My office has worked closely with the province to ensure that relevant
"Requests for Proposals" (RFPs) for contracting-out contain appropriate privacy
and data security standards to ensure compliance with the Act. Such standards
should include the usual fair information practices: use of the information
only for purpose for which it was collected; no disclosure without
consent; no secondary uses of the data; the right of individuals to correct
their personal information in the data bank; rights of individual access; and
limited access to the data bank. Any contracts entered into under these
circumstances must be audited for compliance with the Act's privacy standards,
with accompanying penalties or contract cancellation in the event of a
While specific wording in specific contracts alleviates some of my concern
over the privacy and security issues which accompany contracting-out, I strongly
believe that the continuing protection of personal information, should be
clearly stated during processes of privatization or contracting out of
government services, in the Freedom of Information and Protection of Privacy
Act. The privacy issue is compounded further as the line between public and
private sector data bases becomes blurred.
[Return to Table of Contents]
note: all references to section numbers in the Freedom of Information
and Protection of Privacy Act (the Act) are to the R.S.B.C. 1996
1. Time Limits and Time Extensions
Time extensions while awaiting payment of fees
Section 10(1) should
be amended to permit public bodies to stop the 30-day clock under section 7 while public
bodies await payment of fee estimates. Public bodies now do this but without
express statutory authority.
Time extensions for extenuating circumstances
Section 10(1) should
be amended to permit the Information and Privacy Commissioner to grant time
extensions where extenuating circumstances require additional time for a public
body to process a request for records. For example, strikes, lockouts, natural
disasters, fires, and earthquakes, all may result in public bodies not being
able to locate or get to records, computer equipment, and offices.
Time extensions to permit clarification of requests
should be amended or deleted to permit public bodies to start the 30 day clock
once the request is clear. Under the present wording, public bodies may lose
some of the 30 days if the applicant cannot or will not clarify or identify the
should be amended to clarify the link between the time limits in sections 10, 23, and 24. Currently it is not
clear if public bodies must take a time extension under section 10, if they are
notifying third parties under sections 23 and 24. Presumably the time
limits under sections
23 and 24 then
apply, but the Act is not clear on this point.
Time extensions during third-party reviews
should state that where a third party asks for a review under section 52(2) or 62(2), the time for
processing the applicant's request is extended until the third party's review
has been concluded.
Time extensions during section 43
A new provision in section 10(1) is required
to permit the Information and Privacy Commissioner to grant time extensions to a
public body that has requested an authorization to disregard the applicant's
requests for records under section 43 of the Act. The
current legislation requires public bodies to continue processing an applicant's
requests until the Commissioner approves a section 43 authorization
to disregard such requests.
The new provision might read as follows:
10(1) The head of a public body may extend the time for responding to a
request for up to 30 days or, with the commissioner's permission, for a longer
2. Exceptions to Disclosure: sections 12 to 22
Policy advice and recommendations: section 13
Section 13(1) should
be amended to include a "significant harms test." This will ensure that public
bodies withhold only the advice and recommendations where disclosure could
significantly harm the public body or the Government of British Columbia.
Law enforcement information: section 15
Section 15 should be
amended to restrict the definition of "law enforcement" to policing or
conventional law and by-law enforcement under statutory and regulatory
authority. Section 16 of the federal Access to Information Act
legislation is more restrictive and could be used as a model. The current
definition is so expansive as to allow public bodies to protect almost any
activity. If it is necessary to protect other more administrative activities
which are currently protected by section 15, a separate
exception could be used.
Third-party personal information: section 22
Section 22(4) should
be amended to provide that it is not an unreasonable invasion of personal
privacy of a third party to disclose personal information about the third party
where that person has been deceased for more than 20 years. Section 36 permits the
disclosure of personal information about persons deceased for more than 20 years
for archival and historical purposes. Therefore, I recommend that section 22(4) permit
disclosure of a deceased person's personal information after 20 years.
Public interest disclosure: section 25
Section 25(2) should
be amended to read "25(2) Subsection (1) applies despite any other provision
in Part 2, Division 2 or section 33 of this
Act." This amendment will address the interpretation given to section 25(2) by Madam
Justice Levine of the British Columbia Supreme Court, sitting as an Adjudicator
under section 60(1)(b)
of the Act, in an adjudication order dated June 30, 1997 (Gordon Ronalds and
the Office of the Information and Privacy Commissioner).
The proposed amendment to subsection 25(2) will
avoid public bodies being required to search their otherwise excluded records
under sections 3(1)(a)
to 3(1)(i) for information that must be disclosed in the public interest under
section 25. These
records include records in court files, criminal justice prosecution files, and
collections of private records in the BC Archives and Records Service.
3. Part 3 of the Act: Fair Information Practices
Correction of personal information: section 29
In relation to section
29 of the Act, section 89(5) of the Child, Family and Community Service
Act, R.S.B.C. 1996, c. 46 (the CFCS Act), should be amended
specifically to include section 29.
The CFCS Act gives the Commissioner power to order correction of
personal information in records that fall under the CFCS Act. This is
evident by the mention of section 58(3)(d) of the
Act in section 89(5) of the CFCS Act. However, section 89(5) should also
mention section 29 of
the Act, because it is the latter section that permits public bodies to correct
or annotate personal information.
4. Part 4 of the Act: Office and Powers of the
Exclusion of Commissioner's staff: section 41
In relation to section
41 of the Act, the definition of "employee" in the Public Service Labour
Relations Act, R.S.B.C. 1996, c. 388, section 1(1), should be amended to
exclude staff of the Office of the Information and Privacy Commissioner. This
exclusion has already occurred under the legislation for the staff of the Office
of the Auditor General, the staff of the Office of the Ombudsman, and the staff
of the Chief Electoral Officer.
Statutory revision matter: section 41
In section 41(4)(b),
the phrase "are inadequate for fulfilling the duties of the office" should not
be part of this section. Rather, this phrase should be moved to the line below
section 41(4)(b) so
that it can be read as applying to both sections 41(4)(a) and
41(4)(b). The original version of the Act had the correct spacing. See also the
Auditor General Act, section 8(4) for an example of correct spacing of
paragraphs. So amended, section 41(4) would read
41(4) The commissioner may make a special report to the Legislative Assembly
if, in the commissioner's opinion,
(b) the services provided by the Public Services Employee Relations Commission
are inadequate for fulfilling the duties of the office.
5. Investigation and Reporting Powers of the Commissioner
Special reports to the Legislative Assembly: section 42
The Information and Privacy Commissioner should have an express power in section 42(1) to make
special reports to the Legislative Assembly beyond the annual report requirement
in section 51 and the
special report for budgetary purposes in section 41(4). Similar
provisions are found in the following legislation:
Solicitor-client privilege: section 44 -- production
of records and continuation of privilege
Section 44 should be
amended to expressly state that inspection by, or disclosure to, the Information
and Privacy Commissioner of solicitor-client privileged records during reviews,
inquiries, and complaint investigations, does not waive solicitor-client
privilege. The Legal Profession Act, R.S.B.C. 1996, c. 255, section
63(2), contains a similar provision that continues privilege where lawyers'
files are transferred to the custody of the Law Society.
Section 44(3) should
be amended to change the phrase "any privilege of the law of evidence" to "any
legal privilege." The Supreme Court of Canada has ruled that solicitor-client
privilege is not an evidentiary privilege but substantive law. This
amendment will clarify the rule in section 44(3) that
requires public bodies to produce records to the Information and Privacy
Commissioner, even where those records are subject to solicitor-client
Protection of the Commissioner and staff from being compelled: section 45
Section 45 should be
amended to prevent the Commissioner and his or her staff from being compelled to
give evidence in legal proceedings in relation to their duties and functions
under the Act. As well, section 45 should be
amended to prevent information obtained by the Commissioner and staff during the
exercise of their duties and functions from being compelled in legal
There are similar provisions in the Child, Youth and Family Advocacy
Act, section 8, and the Ombudsman Act, sections 9(5) and 20(2).
Inquiry by the Commissioner: Section 56(6)
My office's interpretation of the mediation process for requests for review
by the Commissioner means that the actual mediation period is sixty-eight days
in order to exchange submissions before the ninety-day period expires, as
required by section
56(6). The written inquiry process requires twenty-one days for the
preparation and exchange of submissions among the parties. Officially, an
inquiry by the Commissioner occurs on the ninetieth day of the mediation period
set out in section 55.
The Special Committee is aware that the Portfolio Officers successfully mediate
a very high percentage of requests for review. Sometimes the ninety-day time
limit is extended by agreement of the parties or by my authorization. But
sixty-eight days is clearly not long enough for complex cases, or ones in which
the parties are hard to reach.
My judgment is that it would be preferable to allow a full ninety-day
mediation period by specifying such a time limit in section 55 and removing section 56(6).
Order-making powers: section 58
Mandatory versus discretionary order-making power
Section 58 requires
the Commissioner to dispose of the issues by making an Order. In some inquiries,
I have concluded that an Order should not be issued, such as where I have found
that a public body has complied with its duty to assist applicants under section 6 of the Act. I
recommend that section
58(1) be amended to give the Commissioner discretion to decline to issue an
Order in an inquiry. This can be done by changing the phrase "...the
commissioner must..." to "...the commissioner may..." in section 58(1). I do not
wish to remove or dilute any of the order-making authority of the Commissioner,
which is such a central feature of the Act.
In my opinion, section
58(2) should continue to use the mandatory phrase "...the commissioner
must..." because the Commissioner always issues an order where the inquiry
reviews a decision to give or refuse access to records. The change from "must"
to "may" in section
58(1) would make that section consistent with the permissive "may" in section 58(3).
Authorizations by Adjudicators: Section 63
Section 61(1) gives
the adjudicator the powers of the Information and Privacy Commissioner under section 43 in respect of
applications to disregard requests for records that, because of their
repetitious or systematic nature, would unreasonably interfere with the
operations of the Information and Privacy Commissioner. This means that under section 43, the
Commissioner can apply for an authorization to disregard such requests where the
Commissioner is acting as a public body.
The appointment process for an adjudicator in relation to section 43 is not clear,
however. Section 63
establishes the right of parties to request the appointment of an adjudicator to
review the Information and Privacy Commissioner's decisions to sever or withhold
records. Section 63(1)
requires the parties to deliver their written requests to the minister
responsible for the Act (currently the Minister of Employment and Investment).
[Please note: as per Order-in-Council 177-98, 11,
the Minister of the newly appointed Ministry of Advanced Education, Training and
Technology has now been charged with the administration of the Freedom of
Information and Protection of Privacy Act and all other heretofore provisions in
previous orders charging another member of the Executive Council with the
administration of that Act are recinded.] Experience to date with the section 43 process shows
that relatively fast decision-making is required, given the stresses imposed on
the public body by an applicant's repetitious or systematic requests.
The usual appointment of adjudicators takes place after a review by the
Minister of Employment and Investment. The Minister then contacts the Office of
the Chief Justice of the Supreme Court to request that an adjudicator be
appointed. Adjudication proceedings may take months to proceed from the Minister
to the Office of the Chief Justice.
I therefore recommend that where the Information and Privacy Commissioner
requests relief from repetitious or systematic requests under section 43, the
Commissioner be permitted to apply directly to the Registrar of the Supreme
Court of British Columbia to request appointment of an adjudicator. The
following proposed addition to section 63 would resolve
63(4) Where the commissioner as head of a public body requests an
authorization to disregard requests for records under section 43, the
commissioner may apply to the Registrar of the Supreme Court to request
appointment of an adjudicator.
Section 58 does not
expressly provide for the Commissioner to issue interim Orders where he or she
wishes to retain jurisdiction to consider subsequent issues arising from the
same request and review.
The need for interim order-making power arose recently in two inquiries. In
158-1997 (Workers Compensation Board of British Columbia, April 10, 1997)
and Order No.
186-1997 (Public Service Employee Relations Commission, August 20, 1997), I
found that the public bodies had not properly reviewed and severed records in
response to requests for records. The public bodies were ordered to review and
sever records and then to provide the office of the Commissioner with the
severed versions of the records. In the two Orders, I "retained jurisdiction"
over the issues until completion of the severing. See also Order No.
115-1996, August 23,1996, where the Order did not conclude the inquiry
Section 58 should
permit the Commissioner to make interim Orders that compel a public body to do
or not do something, pending final determination of the issue by the
Commissioner in the continuation of the inquiry. This will avoid the anomalous
situation of sending applicants back to the beginning of the 90-day review line
if they must request a new review of the severing of records that a public body
should have done in the first place.
6. Part 6 of the Act: General Provisions
Addition of new public bodies: section 76
Section 76(2) should
be changed to add an amending formula similar to the Ombudsman Act for
adding new public bodies. The Ombudsman Act states that if a majority of
a board of directors is appointed by the government, then it is covered by the
Ombudsman Act. This amendment would keep Schedule 2 current, without
having to wait for a change by Order in Council.
Sections 76(3) and
76(4) should also be amended to ensure that the Lieutenant Governor in Council
routinely adds new public bodies to the Schedules 2 and 3 lists of public bodies
and self-governing professional bodies.
Review of the Act: section 80
It will be evident to the Special Committee, from the range of submissions it
is receiving, that the implementation of a complex Act is still being fine
tuned. Thus I would urge you to amend section 80 to require the
startup of another comprehensive review by a Special Committee of the
Legislative Assembly by October 4, 2002.
7. Regulation 3(b)
Regulation 3 should be amended to authorize a person acting for a minor to
authorize the disclosure of personal information under section 33(b). It was
presumably an oversight not to have specified this in the original Regulation.
At present, such representatives have to obtain the information and then pass it
[Return to Table of Contents]
European Union Directive
CSA Model Code
Goals / Objectives
Protect personal information by giving public a right of access to their personal information, the ability to correct that information and prevention of unauthorized use of disclosure of personal information.
*...protect the fundamental rights and freedoms of natural persons, and in particular their right part to privacy, with respect to the processing of personal data.
The objective of this standard is to assist organizations in developing and implementing policies and practices to be used when managing personal information.
Definition of "personal information"
* Personal information is defined as recorded information about an identifiable individual, including their name, address, phone number, race, national or ethnic origin, colour, religious or political beliefs or associations, age sex, sexual orientation, marital status or family status , identifying numbers, symbols or other particular assigned to the individual, fingerprints, blood type or inheritable characteristics, information about the individual's health care history, physical or mental disability, educational, financial, criminal or employment history, anyone else's opinions about the individual, and the individual's personal views or opinions, except if they are about someone else.
"personal data" means any information to an identified or identifiable natural persons (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
(See Article 2 Definitions)
"Personal information" about an identifiable individual that is recorded in any form.
(See c 2.1 Definitions)
Definition of "record"
* Includes books, documents, maps, drawings, photographs, letters, vouchers, papers and any other thing on which information is recorded or stored by graphic electronic, mechanical or other means, but does not include a computer program or any other mechanism that produces records.
No specific definition of record but Directive applies to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.
No specific definition of record but definition can be surmised from that of `personal information' recorded in any form.
(See c 2.1 Definitions)
Definition of "personal information bank"
"Personal information bank" means a collection of personal information that is organized or retrievable by the name of an individual or by an identifying number, symbol or other particular assigned to an individual.
|* "Personal data filing system" (filing system) is any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis. (See Article 2 Definitions)||
No definition of personal data bank
Purpose for which personal information may be collected
The collection must be expressly authorized by or under an Act - information is collected for the purposes of law enforcement, or - information relates directly to and is necessary for an operating program or activity of the public body.
(See s. 26)
* Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes...adequate, relevant and not excessive in relation to the purposes for which they are collected and/or for which they are further processed
(See Article 6.1(a)(b)(c))
|Organizations shall not collect personal information
indiscriminately and both the amount and the type of information collected
shall be limited to that which is necessary to fulfill the purposes
identified. Organizations should specify the type of information collected
as part of their information-handling policies and practices, in
accordance with the Openness principle. The requirement that personal
information be collected by fair and lawful means is intended to prevent
organizations from collecting information by misleading or deceiving
individuals about the purpose for which information is being collected.
(See Principle 4)
How personal information is to be collected
A public body must collect personal information directly from the individual the information is about unless: -another method of collection is authorized by that individual, the commissioner or another enactment; -the information may be disclosed to the public body under sections 33 to 36; -the information is collected for the purpose of determining suitability for an honour or award, a proceeding before a court or tribunal, collecting a debt or fine or making a payment or law enforcement.
(See s. 27)
Personal data may be processed only if the data subject has given his consent unambiguously; or in compliance with a legal obligation (including a contract) to which the controller or data subject is bound. Reasonable steps must be taken to ensure that data is accurate and, where necessary, kept up to date. Information should not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes of collection. (See also "Notice of Collection" below) Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life except as allowed in Article 8
(See Article 8)
* Knowledge and consent of the individual are required for the collection except where this is inappropriate (legal, medical, security reasons may make it impossible or impractical). To make consent meaningful, the purposes must be stated in a reasonably understandable manner. Consent shall never be obtained through deception. Express consent should always be obtained for sensitive information. An organization may not require an individual to consent to collection, use or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purpose. Purpose for collection must be identified at or before the time the information is collected to the individual from whom the personal information is collected. This should be done either orally or in writing.
(See Principle 3)
Notice of collection
A public body must tell an individual from whom it collects personal information the purpose for collecting it, the legal authority for collecting it and the title, business address and business telephone number of an officer or employee of the public body who can answer the individual's questions about the collection. This notice is not required if the information is about a law enforcement matter or the Minister responsible for the FOIPP Act excuses a public body from complying with it because doing so would result in the collection of inaccurate information or defeat the purpose or prejudice the use for which the information is collected. (See s. 27)
|* In cases where personal information is being processed
the controller must provide the data subject from whom data relating to
himself are collected with at least the following information, except
where already known: -the identity of the controller and/or of his
representative - the purposes of the processing for which the data are
intended -any further information such as the recipients or categories of
recipients of the data, whether replies to the questions are obligatory or
voluntary, as well as the possible consequences -the existence of the
right of access to and the right to rectify the data concerning him. This
does not apply to processing for statistical purposes or for the purpose
of historical or scientific research, or where the provision of
information proves impossible or where disclosure is prohibited by law.
(See Articles 10 and 11)
Member States shall provide that the controller must notify the supervisory authority referred to in Article 28 before carrying out any wholly or partly automatic processing. Exceptions are provided to this rule under conditions where the processing of data is unlikely to adversely affect the rights and freedoms of data subjects. (See Article 18 or Article 19 for contents of notification to supervisory authority) Member States shall determine the processing operations likely to present specific risks for the rights and freedoms of data subjects and shall check that these operations that these operations are examined prior to the start thereof. Measures shall be taken to ensure that processing operations are publicized and that a register of such operations is kept and made available to any person. (See Articles 20 and 21)
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals should be able to acquire information about an organization's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable. The information made available shall include:
-the name and address of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded -the means of gaining access to personal information held by the organization -a description of the type of information held by the organization, including a general account of its use -a copy of any brochures that explains the organization's policies and codes -what personal information is made available to related organizations (e.g., subsidiaries). (See Principle 8, c 4.8)
|Accuracy of personal information||
If an individual's personal information will be used by a public body to make a decision that directly affects the individual, the public body must make every reasonable effort to ensure that the information is accurate and complete. (See s. 28)
Personal data must be accurate, and where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed are erased (See Article 6(1)(d))
* Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used. The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual. An organization should not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected. Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.(See Principle 6)
Right to request correction of personal information
An applicant who believes there is an error or omission in his or her personal information may request the head of the public body that has the information in its custody or under its control to correct the information. If no correction is made in response to this request, the public body must annotate the information with the correction that was requested but not made. On correcting or annotating the personal information under this section, the public body must notify any other public body or any third party to whom that information has been disclosed during the one year period before the correction was requested. (See s. 29)
* Data subjects must be told of their right to access their personal information and of their right to rectify the data concerning them. Member States shall guarantee for every data subject the right to obtain from the controller rectification, erasure or blocking of data, the processing of which does not comply with this Directive, in particular because of the incomplete or inaccurate nature of the data. Notification to third parties to whom the data has been disclosed of any rectification, erasure or blocking carried out in compliance with the above requirements unless this proves impossible or involves a disproportionate effort.
(See Articles 10, 11 and 12)
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending on the nature of the information challenged, amendment involves the correction, deletion or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question. When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge should be recorded by the organization. When appropriate the existence of the unresolved challenge should be transmitted to third parties having access to the information in question.
(See Principle 9)
Protection of Personal Information
Public bodies must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal. (See s. 30)
* Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss and against unauthorized alteration, disclosure or access in particular where the processing involves the transmission of data over a network. Having regard to the state of the art and the costs of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Controllers must provide sufficient guarantees in respect of the technical security measures and organizational measures and must ensure compliance with those measures. The carrying out of the processing must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: -the processor shall act only on instructions from the controller -these obligations shall be incumbent on the processor. If processing would involve a data transfer to a third country, the adequacy of the level of protection afforded by that country shall be assessed in the light of all the circumstances surrounding it; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing, the country of origin and the country of final destination, and the rules of law and the professional rules and security measures which are in force and complied with in those countries. (See Article 25 and 26)
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosures, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The methods of protection should include: a) physical measures, for example, locked in cabinets and restricted access to offices; b) organizational measures, for example, security clearances and limited access on a "need-to-know" basis and c) technological measures, for example the use of passwords and encryption. Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information. Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information. (See Principle 7)
Retention of personal information
If a public body uses an individual's personal information to make a decision that directly affects the individual, the public body must retain that information for at least one year after using it so that the individual has a reasonable opportunity to obtain access to it. (See s. 31)
Member States shall provide that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or which they are further processed Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (See Article 6 (d) and (e))
* Organizations should develop guidelines which provide minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods. (See Principle 5)
Destruction of personal information
No clause--destruction controlled by other statutes such as the Document Disposal Act.
* Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the collected purposes. Data which are inaccurate, incomplete or stored in a way incompatible with legitimate purposes shall be erased, rectified or blocked.
See Article 6 and 32)
Personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous. Organizations should develop guidelines and implement procedures to govern the destruction of personal information. (See Principle 5, c. (4.5.3)
Use of personal information
* A public body may use personal information only for the purpose for which that information was obtained or compiled or for a use consistent with that purpose; if the individual the information is about has identified the information and has consented, in the prescribed manner, to the use or for a purpose for which that information may be disclosed to that public body under sections 33 to 36. (see s. 32)
|The Directive does not refer to "use" of personal information; rather the term is "processing of personal data" and means any operation or set of operations which is performed upon personal data, whether or not by automatic means. Controllers must ensure that the information is only processed in a way compatible with the original purpose for which it was collected.(See Article 6 and 7) Member grant the right to every States shall person not to be subject to a decision which produces legal effects concerning him or significantly affects him based solely on automated processing of data intended to evaluate certain personal aspects relating to him. ( See Article 15)||When personal information is to be used for a purpose not
previously identified, the new purpose shall be identified prior to use.
Unless the new purpose is required by law, the consent of the individual
is required before information can be used for that purpose. (See
Principle2, c. 4.2.4) |
Organizations using personal information for a new purpose shall document this purpose in order to comply with the Openness principle. (See Principle 3, c. 4.4)
Disclosure of personal information
* A public body may disclose information only: -in accordance with Part 2 -if the individual the information is about has identified and consented to its disclosure -for the purpose for which it was obtained or compiled or for a use consistent with this purpose -for the purpose of complying with an enactment of, with a treaty, made under an enactment of BC or Canada -for purpose of complying with a subpoena, warrant or order -to an officer or employee of the public body if the information is necessary for the performance of the duties of, or for the protection of the health and safety of the officer or employee -to the AG for use in civil proceedings or actions under the Coroners Act -for collecting a debt or making a payment owed or owing to government -to a MLA whom the individual has asked for assistance -to the Auditor General for audit purposes -to BC Archives for archival purposes -to a law enforcement agency -if there are compelling circumstances that affect anyone's health and safety -so the next of kin or a friend of an injured ill, or deceased individual may be contacted -as part of a research agreement. (See s. 33)
|The data subject shall be notified at the time of collection the recipients or categories of recipients of the data. (See Articles 10 and 11) In addition, controllers shall specify to the supervisory authority the recipients or categories of recipient to whom the data might or be disclosed and any proposed transfers of data to third countries. (See Article 19) The data subject is granted the right to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses. (See Article 14) The controller must implement appropriate technical and organization measures to protect personal data against accidental or unauthorized disclosure. (See Article 17)||
Personal information shall not be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law. (See Principle 5)
Definition of consistent purpose
|If the use has a reasonable and direct connection to the original purpose for which it was collected and is necessary for performing the statutory duties of, or for operating a legally authorized program of, the public body that uses or discloses the information. (See s. 34)||
* Personal data must be collected for specified, explicit and legitimate purposes only and not further processed in a way incompatible with those purposes.(See Article 6(1)(b))
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use.( See Principle 2, c.4.2.4)
Data Subject's right to object to the use of the information
* Appeal to the Information and Privacy Commissioner.
Data subject can object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where either is a justified objection, the processing instigated by the controller may no longer involve those data; Data subject can also object to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing. (See Article 14)
|An individual shall be able to address a challenge
concerning compliance with the CSA Code to the designated individual or
individual's accountable for the organization's compliance. Organizations
shall put procedures in place to receive and respond to complaints or
inquiries about their policies and practices relating to the handling of
personal information. The complaint process should be easily accessible
and simple to use. Organizations shall inform individuals who make
inquires or lodge complaints of the existence of relevant complaint
mechanism. A range of these mechanisms may exist. An organization shall
investigate all complaints. If a complaint is found to be justified
through either the internal or external complaint review process, the
organization shall take appropriate measures. |
(See Principle 10)
Penalties and Sanctions
The Commissioner may authorize a public body to disregard requests from an applicant that, because of their repetitious or systematic nature, would unreasonably interfere with the operations of the public body. (See s. 43) A person must not willfully do any of the following: - make a false statement to, or mislead or attempt to mislead, the commissioner or another person in the performance of the duties, powers or functions of the commissioner or other person under this Act; - obstruct the commissioner... - fail to comply with an order made by the commissioner under s. 58 or by an adjudicator under s. 65(2). A person who contravenes these rules is liable to a fine... (See s. 74)
|* Without prejudice to any administrative remedy for which provision may be made, Member States shall provide for the right of every person to a judicial remedy for any breach of rights guaranteed him by the national law applicable to the processing in question. (See Article 22) Any person who has suffered damage as a result of unlawful processing or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered. (See Article 23) Suitable measures shall be adopted to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions. (See Article 24)||
Self-regulatory and voluntary code developed for private sector. Three levels of registration by the Canadian Standards Association which performs audits of privacy practices.
Appendix B Prepared by: Mary Carlson, Portfolio Officer
Jason Young, Research Officer
Office of the Information and Privacy Commissioner of B.C.
February 3, 1998
[Return to Table of Contents]
 Information Commissioner of Canada, Annual Report, 1995-1996, page 3.
[Return to Body Text]
 Information Commissioner of Canada, Annual Report, 1995-1996, page
 Privacy Commissioner of Canada, Annual Report, 1995-1996, page 2.
 Privacy Commissioner of Canada, Annual Report, 1995-1996, page 1.
 Information Commissioner of Canada, Annual Report, 1995-1996, page 8.
[Return to Body Text]
 Privacy Commissioner of Canada, Annual Report, 1995-1996, page 2.
[Return to Body Text]
 Privacy Commissioner of Canada, Annual Report, 1995-1996, page 1.
[Return to Body Text]