Teresa Scassa - Blog

Tuesday, 04 July 2017 12:37

ATIA reform Bill creates new relationship between Information and Privacy Commissioners over "personal information"

Written by  Teresa Scassa
Rate this item
(0 votes)

Bill C-58, the government’s response to years of calls for reform of Canada’s badly outdated Access to Information Act has been criticized for falling far short of what is needed and from what was promised during the last election campaign. I share this concern. However, this blog post focuses on a somewhat different issue raised by Bill C-58 – the new relationship it will create around privacy as between the Offices of the Information Commissioner and the Privacy Commissioner of Canada.

While Canadian provinces combine access to information and the protection of personal information in the hands of government under a single statute and a single commissioner, the federal government has kept these functions separate. As a result, there is a federal Information Commissioner charged with administering the Access to Information Act and a federal Privacy Commissioner charged with administering the Privacy Act. In 2001, the Privacy Commissioner was also given the task of overseeing Canada’s private sector data protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA). Certainly at the federal level it makes sense to separate the two regimes. While there is a close relationship between access and privacy (citizens have a right of access to their personal information in the hands of government, for example; and access rights are limited by the protection of the personal information of third parties), access to information and the protection of privacy have important – and sometimes conflicting – differences in their overall objectives. The reality is, as well, that both bring with them substantial and growing workloads, particularly at the federal level. Just as the role of the Privacy Commissioner has expanded with the addition of new responsibilities under PIPEDA, with the rapid advance of information technologies, and with new challenges at in relation to the actions of law enforcement and national security officials, so too has the Information Commissioner’s role been impacted by technology, and by the growing movement towards open government and open data.

In spite of these different spheres of activity, there remain points of intersection between access and privacy. These points of intersection are significant enough that changes to the role of one Commissioner may have implications for the other. For example, a government institution under the ATIA can refuse to disclose records if doing so would reveal third party personal information. The Information Commissioner, fielding a complaint about such a refusal, will consider whether the information at issue is personal information and whether it should be disclosed. The federal Privacy Commissioner, dealing with complaints regarding the mishandling of personal information, must also determine what is or is not personal information.

This overlap is poised to be affected by proposed changes to the ATIA. First, Bill C-58 will make the definition of “personal information” in the ATIA match that in the Privacy Act. Second – and significantly – the Bill will give the Information Commissioner order-making powers. This means that the Information Commissioner can rule on whether information in the hands of a government institution is or is not personal information. The decision will be binding and enforceable if it is not challenged. The Privacy Commissioner currently does not have order-making powers (these are on the wish-list for Privacy Act reform). Ironically, then, this means that the Information Commissioner will be in a position to make binding orders regarding what constitutes personal information in the hands of government whereas the Privacy Commissioner cannot. Even if the Privacy Commissioner eventually gets such powers, there will still be the potential for conflicting decisions/interpretations about how the definition of personal information should be applied to particular types of information.

No doubt in recognition of the potential for conflict in the short and longer term, Bill C-58 provides for the Information Commissioner to consult with the Privacy Commissioner. The proposed new section 36.2 reads:

36.‍2 If the Information Commissioner intends to make an order requiring the head of a government institution to disclose a record or a part of a record that the head of the institution refuses to disclose under subsection 19(1), the Information Commissioner may consult the Privacy Commissioner and may, in the course of the consultation, disclose to him or her personal information. [my emphasis]

In theory then, the Information Commissioner should touch base with the Privacy Commissioner before making orders regarding what is or is not personal information, or perhaps even whether certain personal information is subject to disclosure. It is worth noting, however, that the new provision uses the verb “may”, rather than “must”. Neither consultation nor consensus is mandatory.

Bill C-58 anticipates potential problems. A revised section 37(2) requires the Information Commissioner to give notice to the Privacy Commissioner before any order is made regarding the disclosure of personal information. Section 41(4) then provides:

41(4) If neither the person who made the complaint nor the head of the institution makes an application under this section within the period for doing so, the Privacy Commissioner, if he or she receives a report under subsection 37(2), may, within 10 business days after the expiry of the period referred to in subsection (1), apply to the Court for a review of any matter in relation to the disclosure of a record that might contain personal information and that is the subject of the complaint in respect of which the report is made.

Thus, if the Privacy Commissioner disagrees with a decision of the Information Commissioner regarding what constitutes personal information or whether it should be released, he can apply to a court to have the dispute resolved before a final order is made by the Information Commissioner. Note that this can happen even if the applicant and the government institution are satisfied with the Commissioner’s proposed resolution.

It will be interesting to see whether the Privacy Commissioner will get order-making powers if and when the Privacy Act is reformed. This seems likely. What will be even more interesting will be whether any decision by the Privacy Commissioner about what constitutes “personal information” will similarly be open to challenge by the Information Commissioner, with the outcome to be settled by the Federal Court. This too seems likely. In the provinces, decisions about personal information for access and privacy purposes are made by a single Commissioner. The best way to achieve consensus as to the meaning of “personal information” at the federal level with two different Commissioners with different mandates, will be to have any conflicts referred to the courts. This will add a layer of delay in any case where disputes arise, although in theory at least, with open lines of communication between the two Commissioners, such disputes may be few and far between. Nevertheless, there may be a disadvantage in pushing controversies over the definition of “personal information” directly to the courts which lack the same experience and expertise as the two Commissioners in an increasingly complex data landscape. True, the courts already have the last word when it comes to interpreting the definitions of personal information in either statute. But those interpretations have, to date, been confined in impact to one or the other of the statutes and understood in the context of the particular legislative goals underlying the specific statute at issue. The impact of these changes will interesting to monitor.

 

Last modified on Friday, 07 July 2017 09:30
Login to post comments

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law