E-Communication Privacy Considerations for Local Governments

Use of E-communication Tools

Local governments wishing to improve communications with their citizens have found technology to be a valuable tool. Information can be disseminated broadly at minimal cost. Email communications and websites can enable a local government to be more transparent. Recognizing these valuable benefits, local governments are beginning to use these tools, for example, by posting video of their council meetings on their websites for viewing by the general public.

On the other hand, the use of the Internet for communicating information presents risks to the privacy of personal information contained in those communications. These risks are greater than the risks of using traditional paper forms of communication.

Privacy Concerns

Persons who wish to speak at open local government meetings are often required to provide personal information, such as their name and home address, in order to address a council, board or committee. When minutes or videos of the meetings are posted on the Internet, this personal information becomes widely accessible to the public and increases the risk that the information may be used inappropriately or in a manner that harms the individual.

The Freedom of Information and Protection of Privacy Act (“FIPPA”) governs the collection, use and disclosure of personal information. Even if FIPPA authorizes a local government to collect and disclose the name and address of persons addressing council during an open council meeting, the risks associated with disclosing personal information through the Internet require that local governments take steps to reduce, wherever possible, the unnecessary disclosure of personal information on the Internet.

Privacy Commissioners’ Recommendations

The Privacy Commissioners of Canada and British Columbia have made recommendations to administrative tribunals about posting decisions containing personal information on the Internet. The Privacy Commissioners highlight that there are risks to individuals whose personal information is posted on the Internet. These risks arise from the use of sophisticated technology for data-mining, identity theft, and stalking. Powerful search tools are available to access and extract personal information from websites for these and other purposes.

The recommendations provide guidelines for public bodies in developing policies and procedures for the disclosure of personal information through the use of e-communications tools. While the recommendations are geared toward administrative tribunals, they are transferrable to local governments who use the Internet to communicate information about open council meetings.

The following list is a summary of these recommendations:

  • Consider the factors affecting the personal information contained in records that are or may be disclosed on the Internet including:
    • the sensitivity, accuracy and level of detail of the personal information;
    • the context in which the personal information was collected;
    • the specific public policy objectives and mandate;
    • the expectations of any individual who may be affected;
    • the possibility that an individual to whom the information relates may be unfairly exposed to monetary, reputational or other harm as a result of a disclosure;
    • the gravity of any harm that could come to an individual affected as a result of the disclosure of personal information;
    • the public interest in the proceedings and their outcome; and
    • any special circumstances or privacy interests specific to individual cases.
  • Set out in writing the conditions under which access will be provided to personal information via the Internet and the measures taken to protect privacy.
  • In determining whether it is necessary to limit access to personal information, consider:
    • is there a public policy purpose, such as deterrence, for publishing the record or the personal information of a participant;
    • should certain personal information be masked prior making it available or posting it on the internet;
    • should access to certain types of information only be made in person;
    • if certain personal information is disclosed, e.g. sensitive information, do the proceedings need to be published at all;
    • can technology be used to limit the possibility of access to the personal information for purposes other than promoting transparency.
  • Prior to collection of the personal information, notify persons of the reason for collection of their personal information and that it will be disclosed on the Internet where applicable.
  • Inform persons who participate in your public hearings and other forums of your privacy policy and disclosure practices, specifically:
    • advise the parties of the policies, statutes and regulations that govern your information-handling rules;
    • give the parties notice of preliminary processes through which personal information may be identified and protected from disclosure prior to a public forum;
    • publish a written notice that describes your practices regarding the publication of personal information online. This notice should identify:
      • the type of information that is generally made available to the public via the Internet;
      • how information is published electronically;
      • whether and when personal identifiers are included in information published on the Internet; and
      • what procedures are available for parties and witnesses to make submissions about the electronic disclosure of personal information of particular concern to them;
    • develop a policy to guide your exercise of discretion concerning the disclosure of personal information in information posted on the Internet and maintain a clear record of all decisions made pursuant to this policy; and
    • post the policies on your website.
  • Require participants to expressly acknowledge having read and understood your privacy policy including that personal information disclosed at the public forum will be made available on the Internet.

Local Government Policies

Local governments should work toward developing policies and procedures to protect personal information disclosed through all forms of e-communication, including the Internet. In the interim, local governments should examine existing procedures and establish ways to reduce disclosure of personal information by e-communications.

As an example, local governments can establish an alternative to orally providing their name and address as the requirement for addressing council at a public meeting or hearing. Substituting a sign-in sheet will eliminate disclosure of this personal information via the Internet because it will not form part of the record posted on the website.

Providing the alternative serves two goals:

  • Those not wishing to have their personal information disclosed on the Internet will be able to address council if they use the alternative method.
  • The risk that their personal information will be used inappropriately is reduced. Persons less concerned about disclosing their personal information publicly could still provide it orally

In any event, at the outset of the proceedings, all persons in attendance should be informed that personal information given orally will be disclosed on the Internet and that there is an alternative method of providing it. Public notices of the proceedings should also contain this information.

As the use and sophistication of technology increases, so will the risks to personal information disclosed through e-communications. As a result, local governments need to carefully consider their use of technology when collecting, using and disclosing personal information. They should develop specific policies and procedures to address these risks. Being proactive in privacy risk management is prudent and will be viewed positively if something untoward occurs as a result of disclosing personal information through e-communication.