Recent Changes to Freedom of Information and Protection of Privacy Act

In November of 2011, Bill 3, the Freedom of Information and Protection of Privacy Amendment Act, 2011 became law, resulting in a number of changes to the Freedom of Information and Protection of Privacy Act (the “Act”).

A major focus of the amendments to the Act is the facilitation of information sharing among provincial agencies, and the move towards an integrated form of personal identification through an entity referred to in the Act as a “provincial identity information services provider”.  This lays some of the groundwork for a single form of personal identification, encompassing the driver’s licence, care card and others.

However, there have also been various other changes to the Act, many of which may be of interest to local governments.  The following is a summary of many of the key changes to the Act.

  • Section 3 of the Act describes the scope of its application.  Subject to the exceptions listed in subsection 3(1), all records in the custody or under the control of a public body are subject to the Act.  An exception has been added in subsection 3(1)(j) for records that are available for purchase by the public, and another in subsection 3(1)(k), for a record of a service provider that is not related to the provision of services for a public body.Subsection 9(2.1) has been added to require that where a disclosure applicant has requested an electronic copy of a record and it is reasonable for the public body to provide the record in electronic form, then the record must be provided in electronic form.
  • Section 13 of the Act permits the head of a public body to refuse disclosure of information that would reveal policy advice or recommendations.  There are a number of exceptions to that ability to refuse set out in subsection 13(2).  The language of subsections 13(2)(g) and 13(2)(l) has been broadened, so that the head of a public body may not refuse to disclose certain information relating to a “program or activity” of the public body.  Previously, the language of these sections only referred to a “program” of the public body.  The addition of “activity” appears to make the language broad enough to encompass nearly anything done by a local government.
  • Section 27 has been amended to clarify the ability of a public body employer to investigate the conduct or activities of its employees.  Subsection 27(1) states the general rule that a public body must collect personal information directly from the individual the information is about.  A number of exceptions to that rule are listed, and of note is the addition of subsection 27(1)(f) which provides an exception to the rule where the information is about an employee and the collection of the information is necessary for the purposes of managing or terminating an employment relationship.  Emphasis should be placed on the word “necessary”.  Another item to note is the addition of subsection 27(4), which provides that a public body must notify an employee that it will be collecting personal information under subsection 27(1)(f) unless it is reasonable to expect that the notification would compromise either the availability or the accuracy of the information, or an investigation or a proceeding related to the employment of the employee.  Taken together, these amendments suggest that covert surveillance of employees by a public body is permitted by the Act in certain circumstances, but that generally speaking, even where surveillance is permitted, it must only be done with prior notice to the employees.
  • Section 27.1 has been added to the Act to provide a form of “innocent collection” rule.  It says that where personal information is received by a public body, it is not “collected” for the purposes of the Act if the information does not relate to a program or activity of the public body, and the public body takes no action with respect to the information other than to read all or part of it and then delete, destroy or return it, or transfer it to another public body, where appropriate, if the information relates to a program or activity of that public body.
  • Sections 32 and 33 of the Act, dealing with disclosure, have been amended to remove the words “must ensure”.  Instead, these sections now state that a public body “may only use” or “may disclose” personal information as permitted by the Act.  The amended language seems to suggest that a public body is only required to refrain from using and disclosing information contrary to the Act, while the previous language may have suggested a positive obligation to prevent unauthorized use and disclosure.  It is not clear what the implications of these changes will be in actual practice.
  • Changes to subsection 33.1(g) expand the ability of a public body to disclose personal information to its legal advisors.  Previously, this subsection only permitted disclosure for use in civil proceedings involving the public body.  The language of the subsection now also allows disclosure for the more general purpose of preparing or obtaining legal advice for the public body.
  • Subsection 33.1(r) has been added to permit the disclosure of personal information gathered by public bodies through social media sites, provided that certain conditions are met.  The personal information must have been disclosed on the social media site by the individual the information is about, it must have been obtained by the pubic body through public engagement on issues regarding activities, policies or legislation of the public body, and the disclosure of the personal information must be for a use that is consistent with the purpose for which it was collected.  Note that a definition of “social media site” has been added to Schedule 1 of the Act and for the time being at least it includes only Facebook, YouTube, Twitter and MySpace.  The definition leaves open the possibility that other social media sites will be added to the definition by regulation at a later date.  It remains to be seen how quickly the legislation will respond to the “next big thing” in social media.
  • Section 33.3 had been added to the Act, as part of a move toward a greater degree of proactive disclosure by public bodies.  Subsection 33.3(1) provides that a public body may disclose to the public a record that is within a category of records established under section 71(1).  Section 71(1) has been significantly amended so that it is no longer discretionary for public bodies to establish categories of records that are available to the public without a request under the Act.  It is now mandatory under section 71(1) for the head of a public body to establish categories of records that are available without a request.  The categories of records established under section 71(1) are subject to the restrictions set out in section 71.1(1).  It prohibits the establishment of a category of records that contain personal information unless the information is subject to disclosure under sections 33.1 or 33.2 or if the disclosure would not constitute an unreasonable invasion of privacy.  There are provisions in the Act that must be followed to determine whether or not disclosure will constitute and unreasonable invasion of personal privacy.
  • Sections 66 and 77 feature changes of significance to local governments.  Sections 66(1) and (2) permit the head of a public body to delegate his or her duties, powers and functions in writing, subject to any conditions or restrictions the head of the public body considers appropriate.  Until recently, section 66(3) stated that the delegation power in section 66 did not apply to a local public body, which would include local governments.  This meant that delegation could only occur by bylaw, in accordance with section 77.  Section 66(3) has now been repealed and section 77 has been amended.  Delegation by bylaw is no longer contemplated. Instead, the head of the local public body continues to be appointed by bylaw, but further delegation is done by the head of the local public body in writing.
  • Section 73.1 has been added to the Act to provide that the head of a public body may require a person who is unlawfully in possession of personal information within the custody or control of the public body to either return it or destroy it, and section 73.2 has been added to permit a public body to obtain a Court order to enforce section 73.1.