The ins and outs of the e-FOI process

The ins and outs of the e-FOI process

Dan MichalukSeptember 26, 2013

2

Outline

• Electronically stored information• FOI and e-FOI compared• Handling database requests• Handling e-mail requests• The privacy problem

I’m not selling the e-FOI process today. Paper processing can work well. This is to open options, which may lead to efficiencies, reduce risks and reduce

disputes.

4

Electronically stored information

• The data you see is the data you get

• Hard to organize• We manually index or

code and link to each record by identification number

5

Electronically stored information

• ESI has dimensions

6

Electronically stored information

• ESI has dimensions

data

7

Electronically stored information

• ESI has dimensions

data

metadata

8

Electronically stored information

• ESI has dimensions

data

metadataMetadata describes various attributes of information objects

and gives them meaning, context, and organization.

9

FOI and e-FOI compared

Custodians “search”

Custodians copy

Coordinator reviews

Coordinator indexes

Coordinator “prepares”

10

FOI and e-FOI compared

11

FOI and e-FOI compared

Coordinator collects

Coordinator “processes” for responsiveness

Coordinator imports to review

tool

Coordinator tags and redacts for

exemptions

Coordinator produces

electronically

12

FOI and e-FOI compared

• Positive• You have greater control over search and retrieval

• You’ll have access to metadata and searchable text

• No more double or triple printing

• Limit• With unstructured data (e.g., e-mails), you can’t

avoid a record-by-record review

13

FOI and e-FOI compared

• But it’s likely your choice• Requester’s may make the “fox guarding the

henhouse” argument

• See, for example, MO-2634

• Order suggests that institutions and custodians

should be trusted absent a reason to mistrust

• Advice – be the benign skeptic, and never, never

say you’ve found all the e-mails

14

Database requests

15

Database requests

• Producing an “export” at point in time – usually “CSV” or “Tab Delimited”

• Common disputes• Fee and feasibility disputes – TPS case from 2009

• Identifiably disputes – see PO-3232 from July 2013

• Exemption of fields – see PO-3017 from Dec 2011

• Third-party disputes – see MO-2985 from June 2013

16

Database requests

• The limited definition of record• You have to create a record nowadays, unless the

information resides in your head (see M33)

• But there two (extraordinary) limits• Not capable of production by means… “normally

used by the institution”• “the process of producing [the record] would

unreasonably interfere with the operations of an institution.”

17

Database requests

• Toronto Police Services (Ontario CA, 2009)• Confirms a duty to export and mask identity

• If you can do it with means “normally used” you

must do it subject to “unreasonable interference”

• Still a question about whether the required use of

hardware and software not “normally used” is a

basis for declining to answer (though it is clear if you

don’t have normal use of the expertise you are

clear)

18

Database requests

• Order PO-2752 from January 2009• Example of the “unreasonable interference limit”

• OTIS request for data in “linkable” form

• 1,377.50 hours of work

• By specialized staff

• Legitimate security concerns

19

Database requests

• Tips on fee and feasibility issues• Build a relationship with IT

• Build a basic understanding of technical concepts

• Be very skeptical of large fees and claims that “it

can’t be done”

• Consider using an outside contractor to deal with

real operational concerns (chargeable at 100%)

• Provide detailed evidence to the IPC in an affidavit

20

Database requests

• Gombu (Divisional Court, 2002)• Database of electronic campaign contribution data

• Most of the information was already public, but in

physical form

• IPC finds and unjustified invasion on the balance

• Divisional Court - Production of electronic

information not reasonably associated with any

greater risk of misuse

21

Database requests

• The notification problem• What if the requester wants identifying information?

• Head’s duty mandatory – reason to believe might

(and SCC says give notice in Merck)

• Necessary, but costly and unfunded

• This will lead institutions to deny access

• IPC may bear the burden of notification on appeal,

as in PO-3017

22

E-mail requests

• The problems with e-mail• There are duplicates and near duplicates

• Search is expensive because they are unorganized

• Review for exemptions is unfunded, very time

consuming and very difficult to automate

• There is an interest in e-mails not stored “actively” –

i.e. in archive (good), on tape (bad) or

23

E-mail requests

• MO-2154• Requester asks for e-FOI, asks for deleted e-mails

• IPC denies cost of acquiring hardware

• Affirms $12,500 for fees to outside vendor

• Shows – requesters can get what they ask for

• Shows – use of outside vendors can be legitimate

• See also MO-2764 (also some evidence that

outsourcing was reasonable)

24

E-mail requests

• Deleted e-mails and e-mails on backup• Go back and talk to the requester about cost

• Talk about duplication in active storage

• Backup is probably a more cost effective alternative

to restoring deleted e-mails in most cases

• Identify the number of backup tapes from the event

to the date of the request

• Let’s go to the first tape before the story hit the news

25

E-mail requests

• PO-3050• In general, an access request for emails does not

require a routine search of backup tapes for deleted

emails unless there is a reason to assume that such

a search is required, based on evidence that

responsive records may have been deleted or lost.

26

E-mail requests

• Text messages• They are records subject to the two limits

• They can be logged and logs are easy to deal with

• If not logged, they may be stored on phones

• Can be exported from phones, but the process is

awkward given how people use text message

services

27

The privacy problem

• R v Cole• Establishes a limited ( “not entirely eliminated”)

expectation of privacy

• If there is personal use there will always be a

privacy issue, regardless of policy

• Employers can act reasonably for a legitimate

purpose

28

The privacy problem

• Policy prescriptions• Policy can’t eliminate privacy but can help

• Prepare your public sector employees for e-FOI!

• Tell them that the choice to engage in personal use

on a work system comes with a sacrifice

• Give an express warning about e-FOI

• Also warn – work is done on our system unless

pursuant to a reasonable BYOD policy

29

Dan Michaluk

daniel-michaluk@hicksmorley.com

(416) 864-7253

www.allaboutinformation.ca

The ins and outs of the e-FOI process

Dan MichalukSeptember 26, 2013