Access Granted: How Organizations Can Improve Response to Access Requests
November 4th, 2015
In late October, the Information and Privacy Commissioner for BC (the “Privacy Commissioner”) released a scathing report on the BC Government’s response to an access request filed with the Ministry of Transportation and Infrastructure regarding meetings about missing women and the Highway of Tears. The report (Investigation Report F15-03 – Access Denied: Records Retention and Disposal Practices of the Government of British Columbia) was issued following the Privacy Commissioner being alerted to the BC Government’s failure to properly respond to requests for access to information pursuant to the Freedom of Information and Protection of Privacy Act (“FOIPPA”), which requires a public body to provide access to “all records in the custody or under the control of a public body”.
The report’s findings were widely covered in the news, undermining public confidence and raising important questions about the government’s commitment to transparency and accountability in its approaches to appropriate data maintenance. The failures brought to light in this report include negligent searches for records, a failure to keep adequate email records, a failure to document searches and the willful destruction of records.
The report highlights the particular responsibilities of public bodies to retain and manage records and serves as an important reminder about the need to ensure compliance with data management obligations. The Privacy Commissioner offers 11 recommendations in her report, including the implementation of technological changes to prevent employees from being able to permanently delete emails and mandatory training in records management.
Here are some guidelines, stemming from this report, which organizations should consider to encourage adequate responses to requests for information:
- Respond quickly to any requests for information: The duty to respond to requests in a timely manner is clearly outlined under s.6(1) of FOIPPA, which states: “the head of a public body must make every reasonable effort to assist applicants and to respond without delay to each applicant openly, accurately and completely.” The act further outlines that the head of the public body has an obligation to respond to the request within 30 days, but can request extensions in the provision of the materials that constitute a response to the request. Organizations should ensure that their access to information processes are devised in such a way as to ensure requests for records are made via email, are done in a timely manner and are properly documented.
- Be thorough in your search for materials related in the request and clarify the request if necessary: In addition to responding quickly to requests, public bodies must ensure their response is complete. As the Privacy Commissioner outlines in her report, the expectation is not perfection, but rather demonstrating that the organization has fulfilled the “requirement to perform an adequate search for records” as part of the duty to assist. It is essential that all program areas have a system in place that results in access requests being emailed to all employees with potentially responsive records as soon as possible.
If there are any questions related to the nature of the request and how best to fulfill it, the organization should seek clarification immediately in order to ensure it does not interpret the request too narrowly.
- Ensure preservation: Public bodies in particular have a responsibility to ensure they are backing up their files on a regular basis. In her report, the Privacy Commissioner recommends that government develop a policy for all future data migrations with a minimum of hourly, daily and monthly backup of data; written instructions to the service provider about these backups; and government monitoring of the directions to ensure their compliance. Government should also ensure there are no means for employees to permanently delete emails from the system through Microsoft Outlook. If the organization does need to dispose of records, it is important to ensure that it has the legal authority to do so.
- Create a training program for employees: This training program should outline clear guidelines for employees on how to conduct a thorough search for potentially responsive records to an access request. This guidance should be incorporated into access to information training and should “specifically include that employees should conduct searches from their desktop or laptop and not from mobile devices.” Part of the training should also include developing an understanding of what constitutes a transitory record. According to the Privacy Commissioner’s report, transitory records are: “convenience copies, unnecessary duplicates and working materials and drafts once the finished record has been produced.” Records that do not fall under these categories need to be retained according to the government records schedule.
- Include independent oversight as part of your plan and develop an ongoing review process on records management: the Privacy Commissioner recommends independent oversight of data management requirements and sanctions for non-compliance. Independent oversight serves to both reinforce the objectivity of assessments of the organization’s performance and would, in turn, help to reestablish public confidence. Part of ensuring a comprehensive compliance program would also involve the creation of an ongoing review process to ensure processes and procedures are effective and compliant.
While the Privacy Commissioner’s report focused on public bodies, it is important to remember that in both the private and public sectors, individuals have a right to access their personal information. The Personal Information Protection Act, which applies to all private sector organizations in BC, provides that upon request an organization must provide individuals with access to any personal information of the individual under the control of the organization. As such, all organizations should review the guidelines set out above and ensure that they have proper procedures in place to respond to access requests.
In late October, the Information and Privacy Commissioner for BC (the “Privacy Commissioner”) released a scathing report on the BC Government’s response to an access request filed with the Ministry of Transportation and Infrastructure regarding meetings about missing women and the Highway of Tears. The report (Investigation Report F15-03 – Access Denied: Records Retention and Disposal Practices of the Government of British Columbia) was issued following the Privacy Commissioner being alerted to the BC Government’s failure to properly respond to requests for access to information pursuant to the Freedom of Information and Protection of Privacy Act (“FOIPPA”), which requires a public body to provide access to “all records in the custody or under the control of a public body”.
The report’s findings were widely covered in the news, undermining public confidence and raising important questions about the government’s commitment to transparency and accountability in its approaches to appropriate data maintenance. The failures brought to light in this report include negligent searches for records, a failure to keep adequate email records, a failure to document searches and the willful destruction of records.
The report highlights the particular responsibilities of public bodies to retain and manage records and serves as an important reminder about the need to ensure compliance with data management obligations. The Privacy Commissioner offers 11 recommendations in her report, including the implementation of technological changes to prevent employees from being able to permanently delete emails and mandatory training in records management.
Here are some guidelines, stemming from this report, which organizations should consider to encourage adequate responses to requests for information:
- Respond quickly to any requests for information: The duty to respond to requests in a timely manner is clearly outlined under s.6(1) of FOIPPA, which states: “the head of a public body must make every reasonable effort to assist applicants and to respond without delay to each applicant openly, accurately and completely.” The act further outlines that the head of the public body has an obligation to respond to the request within 30 days, but can request extensions in the provision of the materials that constitute a response to the request. Organizations should ensure that their access to information processes are devised in such a way as to ensure requests for records are made via email, are done in a timely manner and are properly documented.
- Be thorough in your search for materials related in the request and clarify the request if necessary: In addition to responding quickly to requests, public bodies must ensure their response is complete. As the Privacy Commissioner outlines in her report, the expectation is not perfection, but rather demonstrating that the organization has fulfilled the “requirement to perform an adequate search for records” as part of the duty to assist. It is essential that all program areas have a system in place that results in access requests being emailed to all employees with potentially responsive records as soon as possible.
If there are any questions related to the nature of the request and how best to fulfill it, the organization should seek clarification immediately in order to ensure it does not interpret the request too narrowly.
- Ensure preservation: Public bodies in particular have a responsibility to ensure they are backing up their files on a regular basis. In her report, the Privacy Commissioner recommends that government develop a policy for all future data migrations with a minimum of hourly, daily and monthly backup of data; written instructions to the service provider about these backups; and government monitoring of the directions to ensure their compliance. Government should also ensure there are no means for employees to permanently delete emails from the system through Microsoft Outlook. If the organization does need to dispose of records, it is important to ensure that it has the legal authority to do so.
- Create a training program for employees: This training program should outline clear guidelines for employees on how to conduct a thorough search for potentially responsive records to an access request. This guidance should be incorporated into access to information training and should “specifically include that employees should conduct searches from their desktop or laptop and not from mobile devices.” Part of the training should also include developing an understanding of what constitutes a transitory record. According to the Privacy Commissioner’s report, transitory records are: “convenience copies, unnecessary duplicates and working materials and drafts once the finished record has been produced.” Records that do not fall under these categories need to be retained according to the government records schedule.
- Include independent oversight as part of your plan and develop an ongoing review process on records management: the Privacy Commissioner recommends independent oversight of data management requirements and sanctions for non-compliance. Independent oversight serves to both reinforce the objectivity of assessments of the organization’s performance and would, in turn, help to reestablish public confidence. Part of ensuring a comprehensive compliance program would also involve the creation of an ongoing review process to ensure processes and procedures are effective and compliant.
While the Privacy Commissioner’s report focused on public bodies, it is important to remember that in both the private and public sectors, individuals have a right to access their personal information. The Personal Information Protection Act, which applies to all private sector organizations in BC, provides that upon request an organization must provide individuals with access to any personal information of the individual under the control of the organization. As such, all organizations should review the guidelines set out above and ensure that they have proper procedures in place to respond to access requests.