Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Control-Alt-Delete:
Control Data, Use Alternatives, and Delete Risks
April 30, 2018
1
A Day in the Life of an ATIPP Coordinator:
Processing & Managing ATI Requests & Complaints
2
Agenda
Part 1 – Who is involved in ATI Requests and
Complaints?
Part 2 - Overview of the ATIPPA, 2015
Part 3 - Steps to Respond to an ATI Request and Scenarios
Part 5 – Mandatory Exceptions and Redaction Exercise
Part 6 – Discretionary Exceptions and Redaction Exercise
Part 7 – Interactions with the OIPC
3
Part 1 – Who is involved in ATI Requests
and Complaints?
4
ATIPP Office
• We provide advice and support by:
– answering questions on privacy and access;
– assisting with privacy breaches;
– providing forms and templates
– providing training; and
– providing guides and handouts.
5
Office of the Information and Privacy
Commissioner (“OIPC”)
• Independent office of the House of Assembly which utilizes a hybrid model that allows the Commissioner to make recommendations that public bodies must follow unless they file an appeal with the courts.
• Duties of the OIPC include: – Investigating complaints regarding access to
information requests and breaches of privacy. – Receiving privacy breach notifications. – Processing time extension and disregard requests.
Public bodies must respond to an access request within 20 business days.
– Conducting own motion investigations. – Education, advocacy, audits, commenting on draft
legislation, etc.
6
Head of Public Body
• Ultimately responsible for the public body’s compliance
with the Act
• To find out who the head is, consult the Act. For
example:
– For government departments, this is the Minister (but
duties are typically delegated to the Deputy Minister)
– For Crown Corporations, it is the CEO
– Municipalities must appoint a Head
7
ATIPP Coordinator
• Managing and processing access to information requests.
– Preparing responses.
– Communicating with applicants and third parties.
• Gathering records.
• Protecting the identity of applicants.
• Educating staff.
• Preparing stats and tracking requests and outcomes.
8
Part 2 – Overview of the ATIPPA, 2015
9
ATIPPA, 2015 – Purpose
The purpose of the Act is to facilitate democracy through
– ensuring citizens can participate meaningfully in the
democratic process;
– increasing transparency;
– protecting the privacy with respect to personal
information held by public bodies.
10
4 Parts of the ATIPPA, 2015
1. Access to records and Correction of Records
2. Protection of Personal Information
3. Establishing Office and Powers of the Information
and Privacy Commissioner
4. General (includes offences)
11
ATIPPA, 2015 – Access
• Under ATIPPA, 2015 the default position is that all
records in the custody or control of a public body are
accessible unless a specific exception to access applies.
• Exceptions provide for withholding of information in
many different contexts, for example legal advice and
cabinet confidences. These will be discussed later.
12
ATIPPA, 2015 – Privacy
• The ATIPPA, 2015 sets out how personal information can
be collected, used, and disclosed.
• Public bodies must take reasonable steps to protect the
personal information they collect.
13
Part 3 – Steps to Respond to an ATI
Request
14
13(1) The head of a public body shall make every
reasonable effort to assist an applicant in making a request
and to respond without delay to an applicant in an open,
accurate and complete manner.
The Duty to Assist
15
The Duty to Assist
• Provide necessary information.
• Clarify the request, if required.
• Perform full and adequate searches.
• Respond without delay.
• Communicate with the applicant throughout the process.
16
Step 1 – Receiving Request
• Applicant will send in request form.
– Do not send this form to the ATIPP Office.
• Review form. If you are not sure what the applicant is
asking for, contact them to clarify.
17
Step 2. Inform ATIPP Office of Request
• Send Form 1A to the ATIPP Office (unless government
department).
• Do not include information about the applicant in this
form.
• The ATIPP Office will give you a file number for the
request.
18
Step 3 – Send Acknowledgement
• Using Form 2, send an acknowledgement letter to the
applicant.
• This lets the applicant know you have received their
request.
• Should be sent as soon after receiving a request as
possible.
19
Step 4 – Gather Records
• Contact appropriate individuals within the department to
find out where records can be found.
• Locate the records that have been requested.
20
Step 4 – Gather Records
Remember that the term ‘record’ is very broad. Depending on the wording of
the request, your search may include:
21
Reasonable Search
• Give staff clear instructions about where and how to
search for records
• Make sure staff know that they must provide ALL
responsive records
• Searches must be conducted by knowledgeable staff in
locations where the records in question might
reasonably by located.
• Keep records of who, what, where and when records
were searched.
22
Step 5 – Send Advisory Response
• The advisory response (Form 3) gives the applicant an
update on their request.
• Must be sent within 10 business days of receiving the
request.
– Unnecessary if everything has already been
completed by day 10.
23
• The ATIPP Office can assist you with identifying whether
information can be redacted under the Act.
• You must give notice to a Third Party, if you decide to
disclose information that you reasonably believe may be:
– an unreasonable invasion of privacy; or
– harmful to a third party’s business interests.
Step 6 – Redact Information if
Appropriate
24
Redaction Tools
Redaction tools
– Rapid Redact
– Adobe – caution
– Black marker – make sure to photocopy rather than
giving original redacted page
– White tape – same as above.
25
Step 7 – Provide Final Response
• Complete Form 4A, 4B, 4C or 4D
• You can modify these forms.
• Attach the requested records.
• Pages should be numbered and organized. Consider
using a table of contents if a large number of records is
being provided.
• Where information is redacted, give the section of the
act that exempts the information and explain why it
applies.
26
Step 8 – Inform ATIPP Office of
Completed Request
• Complete Form 8 and send to ATIPP Office (unless
government department)
27
27
Anonymity of Applicants
In most circumstances, the identity of the applicant must
remain anonymous.
28
Fees
• $5 processing fee was removed in 2015.
• The circumstances where you can charge fees are very
limited. You can contact the ATIPP Office for more
information if:
– you expect to spend a lot to time finding records;
– you must pay significant fees for shipping a request;
or
– you must pay significant fees to reproduce a record.
29
Extensions and disregards
• Extensions: Must be requested from the OIPC by day 15.
This process will be discussed later in the presentation.
• Disregards: Must be requested from the OIPC by day 5.
This process will also be discussed later in the
presentation.
30
Scenarios - Background
You are the ATIPP Coordinator for the Department of Fun
and Festivals, a busy (and non-existent) department of the
Government of Newfoundland and Labrador. The following
are some scenarios that you might run into in the run of a
week.
The Department regularly runs conferences. Last year it
held Fun in NL. This conference was well attended but went
significantly over budget. The spending on this conference
has received significant media attention.
31
Scenario 1
You receive a request for:
The anticipated and actual budget for the Fun in NL
conference held in November 2017
You advise your supervisor of the request and she asks who
the applicant is. What do you do?
32
Scenario 2
An individual phones you and says they want to put in an
ATIPP Request. You explain the process and then they tell
you they just want a copy of the Department’s annual
reports for the last three years.
What do you do?
33
Scenario 3
The Fun in NL Conference is getting a lot of media
attention. You have received 5 requests over the last week
for the budget of this festival.
Is there anything you can do?
34
Scenario 4
You receive a request for:
Any and all emails sent with regard to the Fun in NL from
September 2017-present
When you do a search for emails you notice that one
employee has copied several emails to his personal gmail
account.
What do you do?
35
Scenario 5
You receive a request for:
The budget for that conference you held last year.
Your Department held over 20 conferences last year.
What do you do?
36
Scenario 6
You receive a request for:
All emails, blackberry messages, notes, snail mail letters,
and any and all other correspondence sent or received by
the Department in the last five years.
What can you do?
37
Scenario 7
You’ve noticed that over the past few years, many of your
requests contain multiple copies of the same emails – these
take a lot of time and effort to weed out. For example, in
your last request there were over twenty responsive emails
on whether it would be better to hold a meeting on
Tuesday or Wednesday.
Is there anything you can do?
38
Scenario 8
You receive a request for:
All records relating to the consultation on
Festivals held in June 2016, including responses by
members of the public.
You know that your department was asked to provide
questions, but the consultation itself was conducted by
another department. Should you proceed with processing
the request?
39
Scenario 9
As an ATIPP Coordinator, you are frustrated – all too often
other employees are getting you records at the last minute,
not realizing the work that goes in to processing requests.
Is there anything you can do?
40
Part 4 – Exceptions and other
Requirements
41
Mandatory vs. Discretionary Exceptions
• Mandatory exceptions – you MUST redact.
• Discretionary exceptions – you MAY redact.
42
Mandatory Exceptions
• Section 27 – Cabinet confidences
• Section 33 – Information from a workplace investigation
• Section 39 – Disclosure harmful to business interests of a
third party
• Section 40 – Disclosure harmful to personal privacy
• Section 41 – Disclosure of House of Assembly service
and statutory office records
43
Mandatory Exceptions
Cabinet Confidences– s.27
Cabinet confidences include a variety of records
that are prepared for submission to cabinet or refer
to those submissions.
Any cabinet records MUST be withheld entirely.
Any references to cabinet records MUST be
redacted.
44
Mandatory Exceptions – Statutory Office
Records
Statutory Office Records – s.41
• The House of Assembly has a number of statutory offices, for example:
• The Office of the Information and Privacy Commissioner
• The Child and Youth Advocate
• The Auditor General
• This exception protects the privileges and investigations of the statutory offices.
45
Mandatory Exceptions
Personal Information – s.40
• A public body must withhold where it is an unreasonable
invasion of privacy.
• A public body should release if it is not an unreasonable
personal privacy.
46
Deemed NOT to be an Unreasonable
Invasion of Privacy
• There is consent.
• Information about the functions or remuneration of an
employee of a public body (not names).
• Financial details of a contract.
• Details of a license, permit or other benefit.
• Travel expenses.
• Attendance at an event.
• Honours or awards.
47
Presumed to BE an Unreasonable
Invasion of Privacy
• Medical/psychological information.
• Law enforcement information.
• Employment and educational history.
• Information from a tax return.
• Bank account or credit card information.
• Job references.
• Racial or ethnic origin.
• Religious or political beliefs.
48
Not sure?
• Act allows you to consider:
– Importance of public scrutiny.
– Public health, safety and protection of the environment.
– Fair determination of rights.
– Information will validate the claims, disputes and grievances of aboriginal people
– Unfair harm or damage to reputation
– Information given in confidence
– Is the person deceased?
• Other factors:
– Is the information publicly available?
– Mosaic effect
49
Mandatory Exceptions
Disclosure Harmful to Business Interests of Third Party – s.39
• Three part test:
– commercial, financial, labour relations, scientific or technical information, trade secrets;
– received in confidence; and
– disclosure could reasonably be expected to result in undue financial gain or loss, significantly harm competitive position, reveal an arbitrators report
• Must meet all three parts.
50
Contents of Notice
50
• If information MAY be harmful to third party business
interests, must give notice.
• If giving notice, you should provide the reasoning
behind your determination, and a copy of the relevant
records.
51
Mandatory Exceptions
Information from Workplace Investigation – s.33
• Protects information created or gathered for the purpose
of a workplace investigation, except:
– if the investigation is about the applicant; or
– if the applicant is a witness in the investigation. If this is
the case the applicant only receives the portion of the
investigation the relates to them (i.e. their witness
statement).
52
Redaction Exercise 1
53
Discretionary Exceptions
• Section 28 – Local Public Body Confidences
• Section 29 – Policy Advice or Recommendations
• Section 30 – Legal Advice
• Section 31 – Disclosure Harmful to Law Enforcement
• Section 32 – Confidential Evaluations
• Section 34 – Disclosure Harmful to Intergovernmental Relations or Negotiations
• Section 35 – Disclosure Harmful to the Financial or Economic Interests of a Public Body
• Section 36 – Disclosure Harmful to Conservation
• Section 37 – Disclosure Harmful to Individual or Public Safety
• Section 38 – Disclosure Harmful to Labour Relations Interests of Public Body as Employer
54
Discretionary Exceptions
Local Public Body Confidences – s.28
• Includes a draft of:
– a resolution,
– by-law,
– private Bill or other legal instrument,
provided they were not considered in a public meeting.
• Exception is intended to protect the “substance of
deliberations” of a private meeting, under authority of an Act.
• 15 year time limit.
55
Discretionary Exceptions
Policy Advice or Recommendations – s.29
• Covers advice or recommendations developed by or for
a public body advice, proposals, recommendations,
analyses or policy options developed by or for a public
body or minister.
• Does not cover factual material, polls, statistics surveys.
56
Discretionary Exceptions
Legal Advice – s.30
• May refuse to disclose information that is subject to
solicitor client privilege or litigation privilege.
• Must refuse to disclose information that is subject to
solicitor and client privilege or litigation privilege of a
person other than a public body.
57
Discretionary Exceptions
Disclosure Harmful to Law Enforcement - s.31
• Interfere with or harm a law enforcement matter eg.
– Investigative techniques
– Confidential sources
– Intelligence information
• Security arrangements
58
Discretionary Exceptions
Disclosure Harmful to Conservation – s.36
• Fossil sites, natural sites, heritage sites.
• Endangered or threatened species.
59
Discretionary Exceptions
Confidential Evaluations - s.32
• This section includes confidential evaluations for:
– employment or for awarding of contracts or other
benefits;
– admission to an academic program;
– the granting of tenure; or
– an honour or award to recognize outstanding
achievement or distinguished service.
60
Discretionary Exceptions
Disclosure Harmful to Intergovernmental Relations or
Negotiations – s.34
• Harm relations with federal, local and foreign
governments, and any international organization of
states, or
• Reveal information received in confidence from a
government, council or organization.
61
Discretionary Exceptions
Disclosure Harmful to the Financial or Economic
Interests of a Public Body – s.35
• Trade secrets, information that may have monetary value,
administrative plans not yet made public, negotiations.
• Information that may prematurely disclose a proposal or
project or may lead to the financial gain or loss of a third
party.
62
Discretionary Exceptions
Disclosure Harmful to Individual or Public Safety – s.37
• Includes mental or physical harm.
• Threat could be to third party or applicant.
63
Discretionary Exceptions
Disclosure Harmful to Labour Relations Interests of
Public Body as Employer – s.38
• Protects labour relations information of government
as employer.
64
Public Interest Override
• Most discretionary exceptions to disclosure would
not apply where public interest in disclosure is
clearly demonstrated as outweighing the reasons
for the exception.
65
Redaction Exercise 2
66
Part 6 – Interactions with the OIPC
67
Time Extension Requests
• If after receiving an access request and initiating
searches and consultations it becomes apparent that the
final response timeframe cannot be met, Public Bodies
must apply to the Commissioner for an extension.
68
Time Extension Requests Deadlines
• The request must be received no later than 15 business
days after receiving the access request.
• The decision of the Commissioner will be provided within
3 business days after receipt of the application.
• The time to make an application and receive a decision
from the Commissioner does not suspend the final
response time limit.
69
69
Time Extension Requests Details
• Name and contact information of the public body and Coordinator.
• Public body file number.
• Wording of the access request.
• Date the access request was received by the public body.
• Original due date of request.
• Copy of the advisory response letter (with PI redacted).
• Information regarding any estimate of cost.
• Work done to date to process the access request.
• Work remaining to be done to process the access request.
• Can the public body release information in batches as records are
processed.
• Length of time extension being requested.
70
70
Time Extension Requests
Considerations
• The Commissioner will consider approving a time extension application
under the following circumstances:
– Insufficient details provided by the applicant
– Large number of records requested or to be searched.
– Responding within the time period would interfere unreasonably
with the operations of the public body.
– Multiple concurrent requests by the same applicant or two or more
applicants working in association.
– Third party notice has been given.
– Consultations are necessary.
– The Commissioner considers it fair and reasonable to grant an
extension of time.
71
71
Time Extension Requests
• Where approval is granted the public body must notify
the applicant:
– of the reason for the extension;
– of the commissioner’s approval; and
– when a response can be expected.
• The notification must be in writing.
72
72
Disregard Requests
• The request must be received no later than 5 business
days after receiving the access request.
• The decision of the Commissioner will be provided
within 3 business days after receipt of the application.
• The time to make an application and receive a decision
from the Commissioner does not suspend the final
response time limit.
73
73
Disregard Requests
• The public body must establish that:
– the request would unreasonably interfere with the
operations of the public body;
– the request is for information already provided to the
applicant; or
– the request would amount to an abuse of the right to
make a request because it is
• trivial, frivolous or vexatious,
• unduly repetitive or systematic,
• excessively broad or incomprehensible, or
• otherwise made in bad faith.
74
74
Disregard Requests
• Where approval is granted the public body must notify
the applicant:
– of the reason for the refusal to respond;
– of the commissioner’s approval; and
– that the decision of the public body may be
appealed to the Trial Division.
• The notification must be in writing.
75
Extensions and Disregards – Scenario 1
It is Day 15. You have just processed a huge request, and it
is ready to go out the door. Just as you are about to hit
send, an employee calls you with bad news – they just
found five more boxes of papers relating to the request.
What can you do?
76
Extensions and Disregards - Scenario 2
It’s Friday! You have 7 active requests and you think you
have them under control – they are big but you figure with
a bit of extra work you will just manage to get them all
completed on time.
You take a break from redactions to check your email,
and…. You just received 8 new requests.
What can you do?
77
Extensions and Disregards – Scenario 3
An employee was fired by your department three years ago. Since then, she has made 20 ATIPP Requests about the decision. You have provided documents with her name, all records involving her situation, and all emails sent around the time frame she was fired. You believe you have given her everything that could possibly relate to her situation. She has stated that she is so upset about what happened she will do anything she can to ‘get’ the department.
Today, you received 3 requests from her – two ask for the same records with different wording, the other is a question – why does the department see fit to fire good employees?
Is there anything you can do?
78
Access Complaints
• Coordinators will be sent notification when an access
complaint is received at the OIPC.
• OIPC provides Guidelines which are designed to assist
Coordinators in responding to the Complaint.
• Informal resolution deadline = 30 business days from the
date the complaint is received.
• Commissioner’s Report deadline = 65 business days from
the date the complaint is received.
79
Access Complaints
• Generally the OIPC will require:
– a copy of the Complainant’s access to information request;
– a copy of the public body’s decision letter;
– any correspondence to or from the Complainant or any affected
third parties regarding the request;
– a complete copy of the records sent, if any, to the Complainant;
– a complete copy of the records responsive to the request; and
– any other information you think appropriate to provide in
response to the Complaint.
80
Access Complaints
• You have 10 business days to make representations
justifying your reliance on any exceptions to disclosure you
have claimed.
– This may be the only opportunity to make a submission.
• You must include the reasons for the refusal and the
sections or subsections on which the refusal is based.
• If applicable, you must provide evidence that you have
considered the public interest in disclosing this information
and why you believe that disclosure is not required by this
section.
81
Access Complaints
• Records responsive to an access to information request
which are provided to our Office will not be disclosed by
this Office under any circumstances.
• All subsequent correspondence between you, the
Complainant and any affected third parties regarding the
request/complaint must be copied to our Office.
82
Reasonable Search Complaints
• OIPC Review will ask:
– Steps that were taken to identify and locate;
– Where (physically and technologically) you searched;
– Types of searches conducted (keyword, physical);
– Who conducted the searches; and
– Why the public body believes no records exist.
• It is possible to have conducted a reasonable search and still not locate the document(s).
• Records management issues discovered in such in a scenario should be addressed as they will not be accepted as a reasonable explanation in future cases involving the same public body.
82
83
83
Reasonable Search Complaints
• There is some onus on the Applicant to present a
reasonable basis for thinking a record exists or that an
adequate search has not been conducted.
– Examples include – having possession of a document
that was not found in the search; media reports exists
regarding the record; other evidence of the
document’s existence.
84
Deemed Refusals
• Occur where a public body does not provide any
response within 20 business days.
• The OIPC will investigate the reasons for the lack of
response.
• Processed the same as access complaints related to
redactions.
85
Privacy Complaints
• Coordinators will be sent notification when a privacy
complaint is received at the OIPC.
• The OIPC must process the Complaint as expeditiously as
possible, and will begin with informal resolution
attempts.
86
Privacy Complaints
• Generally, the OIPC will require:
– A response to the issue(s) raised by the Complainant;
– Any document related to the complaint and any other document
which might assist in clarification or resolution of the matter;
– Any policies or procedures the public body has that relate to the
complaint;
– Any remediation plan developed to deal with privacy breaches;
– Any comments that you wish to make in response to the
allegation of the Complainant.
87
Privacy Complaints
• The OIPC will also often ask a series of questions to assist
us in better understanding the circumstances.
• You must provide a response to those questions as well.
88
Privacy Complaints
• You have 10 business days to provide your response.
– This may be the only opportunity to make a
submission.
• All subsequent correspondence between you and the
Complainant regarding the Complaint must be copied to
our Office.
• Commissioner may initiate a privacy breach investigation
without a complaint.
89
Refusal to Investigate
• The Commissioner has the power to refuse to investigate a Complaint at any stage of an investigation.
– the head of a public body has responded adequately to the complaint;
– the complaint has been or could be more appropriately dealt with by another procedure or proceeding;
– the length of time that has elapsed would be likely to result in undue prejudice to a person or that a report would not serve a useful purpose; or
– the complaint is trivial, frivolous, vexatious or is made in bad faith.
90
Response to the OIPC
• Ensure that all public body records provided to the OIPC
are numbered, indexed and a table of contents is
provided.
• Ensure that the OIPC can easily determine what
information has been redacted.
– Highlighted copies.
91
91
Questions