Issues and Topics

The following are my personal views and opinions.  However, when performing services under contract I ensure that all my work is based upon and in compliance with the positions, interpretations and interests of the client as required and appropriate under such circumstances.

Marcel Gauthier

Should you wish to share your personal views or opinions on the following or other matters that are of interest to the Access to Information and Privacy (ATIP) community, please send these to me.  If appropriate, I will post these on this page with an indication of your expertise (e.g., ATIP Officer, over 5 years experience; ATIP Manager, over 5 years experience; ATIP Contractor, over 5 years experience).  I will not identify you or your organization to any party unless you provide me with written consent.  Such an approach is necessary to provide a basic forum for frank exchange of ideas without compromising any individual, or any federal institution.

Personal Information

The following examines whether the names of individuals who are representatives of organizations other than government institutions need to be protected as personal information.

Given that each government institution is responsible for defining and defending its interpretations of the ATIP legislation, it is not uncommon for institutions to have slightly different interpretations of certain provisions of the legislation.  This is not necessarily an indication of inconsistency or conflict between interpretations, but rather is a reflection of the fact that there are grey areas and each institution must resolve these in light of their particular knowledge, experience and circumstances.  The number of such variations is kept to a minimum as a result of direction provided by the central agencies, concerns expressed by the Commissioners, and Court decisions.

Unfortunately, the issue of what constitutes protected personal information seems to have escaped such safeguards, perhaps because of the apparent difficulties in interpreting and applying the relevant provisions of the legislation.  A good example of such difficulties is the Dagg decisions.  Initially, Mr. Dagg had appealed to the Federal Court regarding Finance Canada's refusal to disclose portions of departmental sign‑in logs.  The institution had deleted therefrom the employees' names, identification numbers and signatures.  In 1993 the Federal Court Trial Division found that this was not personal information as defined in section 3 of the Privacy Act (PA).  Government appealed the latter decision, and in 1995 the 3 Judges representing the Federal Court of Appeal decided that this information was personal information as defined in section 3 of the PA, that it was not of the nature described in the exception to protection of personal information found in paragraph 3(j) of the PA, and that the institution was not required to disclose this information pursuant to paragraph 8(2)(m) of the PA and paragraph 19(2)(c) of the Access to Information Act(ATIA) or pursuant to paragraph 19(2)(b) of the ATIA.  The requester then appealed that decision to the Supreme Court, where 9 Judges agreed the information in question was personal information as defined in section 3 of the PA, but 5 of these 9 Judges decided that this information was of the nature described in paragraph 3(j) of the PA and therefore could not be protected from disclosure as personal information.  The four dissenting Supreme Court Judges were of the opinion that the information was not of the nature described in paragraph 3(j) of the PA and that therefore this information should be protected.  However, in such circumstances the majority decides, although the dissenting reasons are provided in the Supreme Court decision.

The above example was provided to demonstrate that although at first glance the definitions of what is personal information (section 3 of the PA), and what is not protected personal information (paragraphs 3(j) to 3(m) of the PA), appear to be clear and objective, in fact these, or portions thereof, are widely open to subjective interpretation.

However, another Court decision seems to be the reason that of all exemptions under the ATIA, the one for personal information seems to be the one that is the most inconsistently applied between federal institutions.  This is the Robertson decision.  This was a 1987 decision that in my opinion should have been appealed.  However, neither central agencies nor the Privacy Commissioner ever formally expressed any concerns with this decision, and for many years the Information Commissioner pressed institutions to follow the interpretation set out in this decision.  The end result is our current situation.

The Robertson decision basically holds that: "Personal views in a letter written by a union official on behalf of union employees opposing an application for a federal grant by a Public Utilities Commission were found to be personal information within the meaning of para. 3(e) PA and therefore exempt from disclosure pursuant to subs. 19(1).  However, other identifying particulars like the author’s name and position which related to his authority to write on behalf of the union were not.  The remaining correspondence was considered not to be personal information as the author had made these statements on behalf of the union." (this is an extract from the Annotated ATIA; the underlining is my emphasis)

As a result, there are three very distinct ways in which institutions deal with the names of individuals appearing in relation to carrying out the duties and functions of their position within an organization other than a government institution (e.g., a third party).  Some practically always protect the name as personal information, some practically never protect the name as personal information because of the Robertson decision, and some protect the name of the individual unless the name of the person occupying the particular position is publicly known (e.g., the president of a large company).

I believe the most compelling argument in determining whether the fact that a named individual is an employee of a given organization must be protected as personal information can be found in paragraphs 3(j) and 3(k) of the PA.  According to the two latter provisions, the fact that an individual is an employee or contractor of a government institution is personal information except for the purposes of sections 7, 8 and 26 of the PA and section 19 of the ATIA.  Since this is the case, the fact that an individual is an employee or contractor of an organization other than a government institution must also be personal information, but in this case, there is no exception in relation to sections 7, 8 and 26 of the PA and section 19 of the ATIA, and therefore this information is mandatorily protected unless the individual consents to disclosure, the information is publicly available, or section 8 of the PA permits disclosure.  This was the approach prior to the Robertson decision, a few institutions maintained this approach even after the Robertson decision, a number of institutions have gone back to this approach, and this appears to be what the ATIP legislation requires.

Section 25 of the ATIA - Severability

Another interesting topic is interpretation of section 25 of the ATIA. This provision is worded as:

"Notwithstanding any other provision of this Act, where a request is made to a government institution for access to a record that the head of the institution is authorized to refuse to disclose under this Act by reason of information or other material contained in the record, the head of the institution shall disclose any part of the record that does not contain, and can reasonably be severed from any part that contains, any such information or material."

Essentially, this provision requires that "the institution shall disclose any part of the record that does not contain" information "that the head of the institution is authorized to refuse to disclose under this Act".

Other words in this provision are also very important, such as the "notwithstanding" clause, however, this is not specifically relevant to the issue I am trying to address.

The issue that concerns me is the interpretation that we are not only required to disclose information that is not of the nature of the exemptions and exclusions of the legislation, but that we are also required to make protected information unprotected by severing identifiers of the parties whose interests the legislation intends to protect.

A classic example is the letter from a member of the public to the institution or to a minister. In most cases, the institution will only protect information that could be used to identify the individual, and then disclose the remainder. In most of these cases, the entire letter does fall within the definition of personal information, which would be obvious were the individual to request a copy of this letter under the Privacy Act.

I would note at this point that this is not an issue that appears in relation to all exemptions and exclusions. To begin with, I do not believe this approach is taken with exclusions. When information is of the nature described in sections 68 or 69 of the ATIA, or sections 69 or 70 of the PA, severing is not used to remove portions of this information from the scope of these provisions. Furthermore, when dealing with discretionary exemptions the legislation requires that we consider and weigh the possibility of disclosing all of this information. Therefore, in the case of discretionary exemptions, we are required to disclose information that is of the nature described in such exemptions to the extent determined by an authorized individual having properly exercised discretion. Therefore, this issue is limited to the mandatory exemptions. These are provisions 13, 16(3), 19, 20 and 24 of the ATIA, and provisions 19, 22(2) and 26 of the PA (note that section 26 of the PA is called a hybrid exemption because it contains both the words "shall" and "may", however, it is essentially the same as section 19 of the ATIA, which is a mandatory exemption).

So the question is, does the legislation require that we:

• disclose information that falls within the scope of mandatory exemptions by removing identifiers and considering that the remainder of the information has thereby been removed from the scope of these exemptions, or
• protect all information that is of the nature specified in the mandatory exemptions?

With respect to the ATIA, this brings us back to the wording of section 25, which as stated above essentially states that "the institution shall disclose any part of the record that does not contain" information "that the head of the institution is authorized to refuse to disclose under this Act". Therefore, the interpretation must hinge on what information the head of the institution is authorized to refuse to disclose under the Act. Is it all of the information that Parliament has specified in each of the mandatory exemptions, or is it only a portion of that information? The answer can only be found by considering the wording of each of the mandatory exemptions.

With respect to the PA, this legislation has no equivalent to section 25 of the ATIA. However, chapter 2‑9 of the Treasury Board Privacy and Data Protection Manual states that "The principles which govern severability under the Access to Information Act should be followed when reviewing information under the Privacy Act. The basic principle is one of reasonable severability." In light of the preceding and of the fact that there is no severing provision in the PA, the answer again can only be found by considering the wording of each of the mandatory exemptions.

Sections 13 of the ATIA and 19 of the PA are essentially the same except for the fact that the ATIA refers to records containing a certain type of information while the PA refers to personal information that is of this same type. So the main difference in the wording is that the ATIA refers to "... any record requested under this Act that contains information that was obtained in confidence from ..." while the PA refers to "... any personal information requested under subsection 12(1) that was obtained in confidence from ...". In both cases, these mandatory exemptions refer to being required to protect "information ... that was obtained in confidence from" the specified other governments. Therefore, in these mandatory exemptions the information "that the head of the institution is authorized to refuse to disclose under this Act" is all of the information provided in confidence by the other government, not simply the identity of the other government.

Subsections 16(3) of the ATIA and 22(2) of the PA are also essentially identical, again save for the reference to "records" under the ATIA and to "personal information" under the PA. The main difference in this case is that the ATIA refers to "... any record requested under this Act that contains information that was obtained or prepared by the RCMP ..." and the PA refers to "... any personal information requested under subsection 12(1) that was obtained or prepared by the RCMP ..." (legislation does not use the RCMP acronym). Again in these mandatory exemptions, the information "that the head of the institution is authorized to refuse to disclose under this Act" is the information obtained or prepared by the RCMP while providing the services described in these provisions and not simply the identities of the parties involved (i.e., the RCMP, the provincial or municipal governments involved, or the parties subject to the policing activities).

On the other hand, sections 19 of the ATIA and 26 of the PA are worded fairly differently. However, this is more a matter of construction of the legislation than actual differences in scope and intent. For example, the PA deals with the issue of publicly available information in the exclusion of section 69 of that legislation, and with consent in the Privacy Regulations, while the ATIA has summarized all aspects of exempting personal information in section 19 of the ATIA. In either case, these exemptions make it mandatory that we protect personal information as defined in section 3 of the PA, unless the individual concerned consents to disclosure, the information is already publicly available, or section 8 of the PA permits disclosure. To be more specific, the ATIA requires that we "refuse to disclose any record requested under the Act that contains personal information as defined in section 3 of the Privacy Act." Again it is clear that the information "that the head of the institution is authorized to refuse to disclose under this Act" is all of the personal information that falls within the definition of section 3 of the PA and not just nominative information. The PA requires the same.

The next mandatory exemption is section 20 of the ATIA. Obviously, there is no equivalent in the PA. The information "that the head of the institution is authorized to refuse to disclose under this Act" in this case is the information described in the two class exemptions that are specified in paragraphs 20(1)(a) and (b), and in the two injury exemptions specified in paragraphs 20(1)(c) and (d). Again, this is not a matter of protecting the identities of the parties whose interests section 20 is intended to protect, but rather this is a requirement that the specified information be protected. Furthermore, in this case we also have to deal with the notification requirements set out in sections 27 and 28 of the Act. Were information of the nature described in paragraphs 20(1)(a) to (d) to be disclosed after having only protected identifiers and not having sent the required notices to the third parties involved, the institution could potentially be sued by the third party who could argue that the protection in section 74 does not apply since the institution did not give the required section 27 and 28 notices.

Given the nature of section 24, these being references to various information protected by other legislation, I will not undertake an analysis of each of these.

Another consideration is the fact that we are not being consistent in how we apply severing to the mandatory exemptions. In many cases when dealing with personal information, we only sever identifiers but disclose information that should be protected because of the wording of section 19 of the ATIA and section 26 of the PA. In practically all cases when dealing with provisions 13, 16(3) and 20 of the ATIA, and provisions 19 and 22(2) of the PA we do not only sever the identifiers, but rather we protect all of the information described in these provisions.

The inconsistency is even worse when dealing with personal information. For example, most institutions who would receive requests for correspondence sent by individuals to the minister would simply remove identifiers and disclose most of this correspondence. However, most of these same institutions would not disclose any information in response to requests for employee performance evaluations although the same technique could be used to remove all identifiers from these. Although it could be argued that the reason for treating these two types of requests differently is that it may be easier to identify individuals in the latter request, in fact with slightly more severing all identifiers could also be removed from the latter request. Note that it is recognized that is not always the case. For example, if the target population is small enough, such as a request for correspondence sent to the minister by anyone living in a town of 50 people or for employee performance evaluations of employees in a very small office, it is obvious that all of this information would have to be protected. The point being made here is that two different interpretations are being used inconsistently, with no specific and clear rationale based upon the wording of the legislation as to why this is being done.

This analysis would be incomplete if it did not consider what the Treasury Board Guidelines say on this topic. In the initial Guidelines (1983) there was article .4.4 on Severability, and a modified version of this was then included in article 5 of Chapter 2‑7 of the 1993 Access to Information - Treasury Board Policy and Guidelines, which deals with Severability. Part of the latter article states:

"Often the only exempt information involved will be the name of an individual, which appears in a such a context that it would qualify as personal information. When this type of problem arises, only the name itself and any other information which could identify the individual should be deleted. Similarly, the name of a place or thing may qualify for exemption and only that discrete piece of information should be deleted. By way of example, if a sentence reads 'John Doe, an expert in environmental research at the University of Toronto, told the department that it should disregard the representation from this environmental group' and the request was for information relating to the fate of the particular representation, the portion 'John Doe' and his university affiliation could be exempted and the rest of the sentence released as being intelligible and relevant to the request, provided it is reasonable to believe the rest of sentence does not provide a key to the individual's identity. Further, the name of a person along with information which is not factual in nature, such as qualitative performance evaluation, opinions of others, should remain exemptible in order to protect the privacy of the individual."

I would begin by mentioning that the original 1983 version, prepared before government institutions and Treasury Board were able to get hands‑on experience at interpreting and applying the legislation, did not refer to protecting any other information than the name of the individual in the above passage. In the 1983 version there was no reference to protecting other identifiers than the name, including the university affiliation, or to protecting any qualitative information about the individual. Therefore, the 1993 version provides much better guidance on this difficult topic than the 1983 version. However, it does not settle the issue of whether we are required to only protect identifiers or whether we need to protect all information of the nature described in a mandatory exemption such as section 19. On the one hand it contains statements that support rendering protected information unprotected by removing identifiers such as "When this type of problem arises, only the name itself and any other information which could identify the individual should be deleted." "and "the rest of the sentence released as being intelligible and relevant to the request, provided it is reasonable to believe the rest of sentence does not provide a key to the individual's identity". On the other hand, it also includes statements such as "Similarly, the name of a place or thing may qualify for exemption and only that discrete piece of information should be deleted.", which seems to indicate that whatever information qualifies for exemption needs to be deleted; and the statement "Further, the name of a person along with information which is not factual in nature, such as qualitative performance evaluation, opinions of others, should remain exemptible in order to protect the privacy of the individual.", which indicates that not only identifiers but other information that falls within the scope of the exemption must also be protected. Finally, it should be kept in mind that these are Guidelines and not Policy, and therefore are only meant to assist institutions in interpreting the legislation but are not intended to strictly define the interpretation that should be used by government institutions.

However, there is recent Treasury Board documentation that seems to clearly support the position that not only identifiers but all information that is of the nature specified in a mandatory exemption such as section 19 should be protected. This can be found in Treasury Board's Info Source Bulletin Number 29. The summary of the Canada (Information Commissioner) v. Canadian Transportation Accident Investigation and Safety Board), T-465-01, T-650-02, T-888-02, T-889-02, Reference: 2005 FC 384, Court decision states:

	"Issue 4 – Can the personal information in the ATC communications reasonably be severed from the remaining information pursuant to s. 25 ATIA?
	As the Court found that the ATC communications were personal information, there was nothing that could be severed and no need to address this issue."

So where did the method of only severing identifiers come from? The likely source for the practice of severing identifiers in personal information and then disclosing information that technically is mandatorily protected seems to have originated from the Information Commissioner arguing that only nominative information can be protected as described in Québec's An Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information. This was one of the main arguments used by the Information Commissioner in trying to convince or require institutions to only sever identifiers when records contained personal information. The problem with that argument is that the Québec legislation was promulgated in 1982, before the federal legislation, and so Parliament was aware of this possible approach yet decided not to word the federal legislation based upon only protecting nominative information.

Finally, it is important that we consider whether the above analysis, including the conclusions reached at the end of the analysis of each mandatory exemption above, are consistent with the purpose of the legislation. Unfortunately, on this point many seem to never get beyond the first few words of section 2 of the ATIA and thereby they limit the purpose of the Act to being "to provide a right of access to information". Section 2 of each Act defines the purpose of each of these two legislation. Ignoring portions of the provision does not appear to be the best way to arrive at an understanding of what Parliament intended. If we look at all of section 2 of the ATIA, it begins by stating that the purpose of the legislation is "to provide a right of access to information" but then goes on to say that government institutions must do so "in accordance with the principles that government information should be available to the public, that necessary exemptions to the right of access should be limited and specific and that decisions on the disclosure of government information should be reviewed independently of government." In light of this, and as it is obvious to anyone who has ever processed requests made under this legislation and had to apply exemptions, the purpose of the legislation is to achieve a balance between the right of access and the right of protection of information as specified in the legislation. To argue that one is paramount to the other, to argue than the public's right of access is more important than an individual's right to protection under section 19, or a government's right to protection under section 13, or a third party's right to protection under section 20, is not an appropriate interpretation of the legislation.

The fact that the purpose of the Act is to reach a balance between the right of access and the right to protection of the interests specified in the exemptions and exclusions is even recognized by the Information Commissioner who stated "Of course, access rights are not absolute. They are subject to specific and limited exemptions, balancing freedom of information against individual privacy, commercial confidentiality, national security and the frank communications needed for effective policy‑making." (Information Commissioner - Annual Report 2000‑2001)

Therefore, since the purpose of the legislation is to achieve a proper balance between the right of access and the right to protection in specific circumstances, the interpretation that we must protect all information that is of the nature specified in the mandatory exemptions is consistent with the purpose of the legislation.

Although section 2 of the PA is worded differently, and the PA does not contain the equivalent of section 25 of the ATIA, the Treasury Board Guidelines tell us that the same approach to severing should be used for both Acts. Furthermore, in the Dagg decision, the Supreme Court of Canada stated that " The Access to Information Act and Privacy Act have equal status and must be given equal effect. The courts must have regard to the purposes of both in considering whether a government record constitutes "personal information". Both recognize that, in so far as it is encompassed by the definition of "personal information" in s. 3 of the Privacy Act, privacy is paramount over access." This would seem to indicate that in determining what information needs to be protected as personal information, the Supreme Court believes we should adopt the interpretation that favors privacy, and this would mean protecting all personal information that is specified in the relevant exemption, and not just identifiers.

In conclusion, as explained above severing mandatorily protected information by only removing identifiers is not required by the legislation and furthermore such severing is not being consistently applied. Therefore, such severing should not be done.

Investigation Findings

According to subsection 37(1) of the ATIA, "If, on investigating a complaint in respect of a record under this Act, the Information Commissioner finds that the complaint is well‑founded, the Commissioner shall provide the head of the government institution that has control of the record with a report containing (a) the findings of the investigation ..."

According to subsection 35(1) of the PA, "If, on investigating a complaint under this Act in respect of personal information, the Privacy Commissioner finds that the complaint is well‑founded, the Commissioner shall provide the head of the government institution that has control of the personal information with a report containing (a) the findings of the investigation ..."

Therefore, both Commissioners are legally required to inform institutions when a complaint is well‑founded. The corollary to this is that in all cases where the Commissioner does not specify that a complaint is well‑founded, the complaint must be not well‑founded, including complaints identified as "Resolved" by the Commissioners.

Both Commissioners do indicate in their reports under subsection 37(1) of the ATIA or under subsection 35(1) of the PA those complaints that they consider to be well-founded. However, these two provisions only provide requirements for reporting to government institutions, to complainants, and in the case of the ATIA, to third parties. However, the legislation does not specify how complaints have to be reported to Parliament, and in that area, the approaches of the two Commissioners vary.

The Privacy Commissioner reports complaints in Annual Reports to Parliament using the same types of findings as is used when reporting findings to complainants and government institutions under susbsection 35(1). For example, the Privacy Commissioner will report regarding complaints that were "Well‑founded", "Well‑founded‑Resolved", "Not well‑founded", "Resolved", etc...

On the other hand, up until the Information Commissioner's 1991‑1992 Annual Report to Parliament these reports did indicate the number of well‑founded complaints (reported complaints as being either "Justified", "Not Justified" or "Discontinued"). However, since then, the Information Commissioner stopped reporting to Parliament the numbers of complaints that were well‑founded and began only reporting figures for complaints as being "Resolved", "Not Resolved, "Not Substantiated" and "Discontinued". Unfortunately, this does not indicate to Parliament how many complaints were well‑founded, and in actual fact many of the complaints that are being counted as "Resolved" are actually complaints that the Information Commissioner did not find to be "Well‑founded". However, as explained above there is no legal requirement for the Commissioners to report to Parliament whether complaints were well‑founded or not.

Nonetheless, no matter how either Commissioner reports their findings in their Annual Reports, nothing prevents government institutions from clearly indicating in their own Annual Reports to Parliament the actual figures for well‑founded versus not well‑founded complaints. When the Commissioners issue their findings to the government institutions pursuant to subsection 37(1) of the ATIA or 35(1) of the PA, they will have either indicated that the complaint was well‑founded, or provided some other finding. Given the legal requirement both Commissioners have to inform the institution when a complaint is well‑founded, it would appear that government institutions should be able to indicate in their Annual Reports to Parliament exactly what proportion of complaints were well‑founded and what proportion were not well‑founded (all findings that do not specify well‑founded and for which the investigation was not discontinued).