Control-Alt-Delete:

Control Data, Use Alternatives, and Delete Risks

April 30, 2018

1

A Day in the Life of an ATIPP Coordinator:

Processing & Managing ATI Requests & Complaints

2

Agenda

Part 1 – Who is involved in ATI Requests and

Complaints?

Part 2 - Overview of the ATIPPA, 2015

Part 3 - Steps to Respond to an ATI Request and Scenarios

Part 5 – Mandatory Exceptions and Redaction Exercise

Part 6 – Discretionary Exceptions and Redaction Exercise

Part 7 – Interactions with the OIPC

3

Part 1 – Who is involved in ATI Requests

and Complaints?

4

ATIPP Office

• We provide advice and support by:

– answering questions on privacy and access;

– assisting with privacy breaches;

– providing forms and templates

– providing training; and

– providing guides and handouts.

5

Office of the Information and Privacy

Commissioner (“OIPC”)

• Independent office of the House of Assembly which utilizes a hybrid model that allows the Commissioner to make recommendations that public bodies must follow unless they file an appeal with the courts.

• Duties of the OIPC include: – Investigating complaints regarding access to

information requests and breaches of privacy. – Receiving privacy breach notifications. – Processing time extension and disregard requests.

Public bodies must respond to an access request within 20 business days.

– Conducting own motion investigations. – Education, advocacy, audits, commenting on draft

legislation, etc.

6

Head of Public Body

• Ultimately responsible for the public body’s compliance

with the Act

• To find out who the head is, consult the Act. For

example:

– For government departments, this is the Minister (but

duties are typically delegated to the Deputy Minister)

– For Crown Corporations, it is the CEO

– Municipalities must appoint a Head

7

ATIPP Coordinator

• Managing and processing access to information requests.

– Preparing responses.

– Communicating with applicants and third parties.

• Gathering records.

• Protecting the identity of applicants.

• Educating staff.

• Preparing stats and tracking requests and outcomes.

8

Part 2 – Overview of the ATIPPA, 2015

9

ATIPPA, 2015 – Purpose

The purpose of the Act is to facilitate democracy through

– ensuring citizens can participate meaningfully in the

democratic process;

– increasing transparency;

– protecting the privacy with respect to personal

information held by public bodies.

10

4 Parts of the ATIPPA, 2015

1. Access to records and Correction of Records

2. Protection of Personal Information

3. Establishing Office and Powers of the Information

and Privacy Commissioner

4. General (includes offences)

11

ATIPPA, 2015 – Access

• Under ATIPPA, 2015 the default position is that all

records in the custody or control of a public body are

accessible unless a specific exception to access applies.

• Exceptions provide for withholding of information in

many different contexts, for example legal advice and

cabinet confidences. These will be discussed later.

12

ATIPPA, 2015 – Privacy

• The ATIPPA, 2015 sets out how personal information can

be collected, used, and disclosed.

• Public bodies must take reasonable steps to protect the

personal information they collect.

13

Part 3 – Steps to Respond to an ATI

Request

14

13(1) The head of a public body shall make every

reasonable effort to assist an applicant in making a request

and to respond without delay to an applicant in an open,

accurate and complete manner.

The Duty to Assist

15

The Duty to Assist

• Provide necessary information.

• Clarify the request, if required.

• Perform full and adequate searches.

• Respond without delay.

• Communicate with the applicant throughout the process.

16

Step 1 – Receiving Request

• Applicant will send in request form.

– Do not send this form to the ATIPP Office.

• Review form. If you are not sure what the applicant is

asking for, contact them to clarify.

17

Step 2. Inform ATIPP Office of Request

• Send Form 1A to the ATIPP Office (unless government

department).

• Do not include information about the applicant in this

form.

• The ATIPP Office will give you a file number for the

request.

18

Step 3 – Send Acknowledgement

• Using Form 2, send an acknowledgement letter to the

applicant.

• This lets the applicant know you have received their

request.

• Should be sent as soon after receiving a request as

possible.

19

Step 4 – Gather Records

• Contact appropriate individuals within the department to

find out where records can be found.

• Locate the records that have been requested.

20

Step 4 – Gather Records

Remember that the term ‘record’ is very broad. Depending on the wording of

the request, your search may include:

21

Reasonable Search

• Give staff clear instructions about where and how to

search for records

• Make sure staff know that they must provide ALL

responsive records

• Searches must be conducted by knowledgeable staff in

locations where the records in question might

reasonably by located.

• Keep records of who, what, where and when records

were searched.

22

Step 5 – Send Advisory Response

• The advisory response (Form 3) gives the applicant an

update on their request.

• Must be sent within 10 business days of receiving the

request.

– Unnecessary if everything has already been

completed by day 10.

23

• The ATIPP Office can assist you with identifying whether

information can be redacted under the Act.

• You must give notice to a Third Party, if you decide to

disclose information that you reasonably believe may be:

– an unreasonable invasion of privacy; or

– harmful to a third party’s business interests.

Step 6 – Redact Information if

Appropriate

24

Redaction Tools

Redaction tools

– Rapid Redact

– Adobe – caution

– Black marker – make sure to photocopy rather than

giving original redacted page

– White tape – same as above.

25

Step 7 – Provide Final Response

• Complete Form 4A, 4B, 4C or 4D

• You can modify these forms.

• Attach the requested records.

• Pages should be numbered and organized. Consider

using a table of contents if a large number of records is

being provided.

• Where information is redacted, give the section of the

act that exempts the information and explain why it

applies.

26

Step 8 – Inform ATIPP Office of

Completed Request

• Complete Form 8 and send to ATIPP Office (unless

government department)

27

27

Anonymity of Applicants

In most circumstances, the identity of the applicant must

remain anonymous.

28

Fees

• $5 processing fee was removed in 2015.

• The circumstances where you can charge fees are very

limited. You can contact the ATIPP Office for more

information if:

– you expect to spend a lot to time finding records;

– you must pay significant fees for shipping a request;

or

– you must pay significant fees to reproduce a record.

29

Extensions and disregards

• Extensions: Must be requested from the OIPC by day 15.

This process will be discussed later in the presentation.

• Disregards: Must be requested from the OIPC by day 5.

This process will also be discussed later in the

presentation.

30

Scenarios - Background

You are the ATIPP Coordinator for the Department of Fun

and Festivals, a busy (and non-existent) department of the

Government of Newfoundland and Labrador. The following

are some scenarios that you might run into in the run of a

week.

The Department regularly runs conferences. Last year it

held Fun in NL. This conference was well attended but went

significantly over budget. The spending on this conference

has received significant media attention.

31

Scenario 1

You receive a request for:

The anticipated and actual budget for the Fun in NL

conference held in November 2017

You advise your supervisor of the request and she asks who

the applicant is. What do you do?

32

Scenario 2

An individual phones you and says they want to put in an

ATIPP Request. You explain the process and then they tell

you they just want a copy of the Department’s annual

reports for the last three years.

What do you do?

33

Scenario 3

The Fun in NL Conference is getting a lot of media

attention. You have received 5 requests over the last week

for the budget of this festival.

Is there anything you can do?

34

Scenario 4

You receive a request for:

Any and all emails sent with regard to the Fun in NL from

September 2017-present

When you do a search for emails you notice that one

employee has copied several emails to his personal gmail

account.

What do you do?

35

Scenario 5

You receive a request for:

The budget for that conference you held last year.

Your Department held over 20 conferences last year.

What do you do?

36

Scenario 6

You receive a request for:

All emails, blackberry messages, notes, snail mail letters,

and any and all other correspondence sent or received by

the Department in the last five years.

What can you do?

37

Scenario 7

You’ve noticed that over the past few years, many of your

requests contain multiple copies of the same emails – these

take a lot of time and effort to weed out. For example, in

your last request there were over twenty responsive emails

on whether it would be better to hold a meeting on

Tuesday or Wednesday.

Is there anything you can do?

38

Scenario 8

You receive a request for:

All records relating to the consultation on

Festivals held in June 2016, including responses by

members of the public.

You know that your department was asked to provide

questions, but the consultation itself was conducted by

another department. Should you proceed with processing

the request?

39

Scenario 9

As an ATIPP Coordinator, you are frustrated – all too often

other employees are getting you records at the last minute,

not realizing the work that goes in to processing requests.

Is there anything you can do?

40

Part 4 – Exceptions and other

Requirements

41

Mandatory vs. Discretionary Exceptions

• Mandatory exceptions – you MUST redact.

• Discretionary exceptions – you MAY redact.

42

Mandatory Exceptions

• Section 27 – Cabinet confidences

• Section 33 – Information from a workplace investigation

• Section 39 – Disclosure harmful to business interests of a

third party

• Section 40 – Disclosure harmful to personal privacy

• Section 41 – Disclosure of House of Assembly service

and statutory office records

43

Mandatory Exceptions

Cabinet Confidences– s.27

Cabinet confidences include a variety of records

that are prepared for submission to cabinet or refer

to those submissions.

Any cabinet records MUST be withheld entirely.

Any references to cabinet records MUST be

redacted.

44

Mandatory Exceptions – Statutory Office

Records

Statutory Office Records – s.41

• The House of Assembly has a number of statutory offices, for example:

• The Office of the Information and Privacy Commissioner

• The Child and Youth Advocate

• The Auditor General

• This exception protects the privileges and investigations of the statutory offices.

45

Mandatory Exceptions

Personal Information – s.40

• A public body must withhold where it is an unreasonable

invasion of privacy.

• A public body should release if it is not an unreasonable

personal privacy.

46

Deemed NOT to be an Unreasonable

Invasion of Privacy

• There is consent.

• Information about the functions or remuneration of an

employee of a public body (not names).

• Financial details of a contract.

• Details of a license, permit or other benefit.

• Travel expenses.

• Attendance at an event.

• Honours or awards.

47

Presumed to BE an Unreasonable

Invasion of Privacy

• Medical/psychological information.

• Law enforcement information.

• Employment and educational history.

• Information from a tax return.

• Bank account or credit card information.

• Job references.

• Racial or ethnic origin.

• Religious or political beliefs.

48

Not sure?

• Act allows you to consider:

– Importance of public scrutiny.

– Public health, safety and protection of the environment.

– Fair determination of rights.

– Information will validate the claims, disputes and grievances of aboriginal people

– Unfair harm or damage to reputation

– Information given in confidence

– Is the person deceased?

• Other factors:

– Is the information publicly available?

– Mosaic effect

49

Mandatory Exceptions

Disclosure Harmful to Business Interests of Third Party – s.39

• Three part test:

– commercial, financial, labour relations, scientific or technical information, trade secrets;

– received in confidence; and

– disclosure could reasonably be expected to result in undue financial gain or loss, significantly harm competitive position, reveal an arbitrators report

• Must meet all three parts.

50

Contents of Notice

50

• If information MAY be harmful to third party business

interests, must give notice.

• If giving notice, you should provide the reasoning

behind your determination, and a copy of the relevant

records.

51

Mandatory Exceptions

Information from Workplace Investigation – s.33

• Protects information created or gathered for the purpose

of a workplace investigation, except:

– if the investigation is about the applicant; or

– if the applicant is a witness in the investigation. If this is

the case the applicant only receives the portion of the

investigation the relates to them (i.e. their witness

statement).

52

Redaction Exercise 1

53

Discretionary Exceptions

• Section 28 – Local Public Body Confidences

• Section 29 – Policy Advice or Recommendations

• Section 30 – Legal Advice

• Section 31 – Disclosure Harmful to Law Enforcement

• Section 32 – Confidential Evaluations

• Section 34 – Disclosure Harmful to Intergovernmental Relations or Negotiations

• Section 35 – Disclosure Harmful to the Financial or Economic Interests of a Public Body

• Section 36 – Disclosure Harmful to Conservation

• Section 37 – Disclosure Harmful to Individual or Public Safety

• Section 38 – Disclosure Harmful to Labour Relations Interests of Public Body as Employer

54

Discretionary Exceptions

Local Public Body Confidences – s.28

• Includes a draft of:

– a resolution,

– by-law,

– private Bill or other legal instrument,

provided they were not considered in a public meeting.

• Exception is intended to protect the “substance of

deliberations” of a private meeting, under authority of an Act.

• 15 year time limit.

55

Discretionary Exceptions

Policy Advice or Recommendations – s.29

• Covers advice or recommendations developed by or for

a public body advice, proposals, recommendations,

analyses or policy options developed by or for a public

body or minister.

• Does not cover factual material, polls, statistics surveys.

56

Discretionary Exceptions

Legal Advice – s.30

• May refuse to disclose information that is subject to

solicitor client privilege or litigation privilege.

• Must refuse to disclose information that is subject to

solicitor and client privilege or litigation privilege of a

person other than a public body.

57

Discretionary Exceptions

Disclosure Harmful to Law Enforcement - s.31

• Interfere with or harm a law enforcement matter eg.

– Investigative techniques

– Confidential sources

– Intelligence information

• Security arrangements

58

Discretionary Exceptions

Disclosure Harmful to Conservation – s.36

• Fossil sites, natural sites, heritage sites.

• Endangered or threatened species.

59

Discretionary Exceptions

Confidential Evaluations - s.32

• This section includes confidential evaluations for:

– employment or for awarding of contracts or other

benefits;

– admission to an academic program;

– the granting of tenure; or

– an honour or award to recognize outstanding

achievement or distinguished service.

60

Discretionary Exceptions

Disclosure Harmful to Intergovernmental Relations or

Negotiations – s.34

• Harm relations with federal, local and foreign

governments, and any international organization of

states, or

• Reveal information received in confidence from a

government, council or organization.

61

Discretionary Exceptions

Disclosure Harmful to the Financial or Economic

Interests of a Public Body – s.35

• Trade secrets, information that may have monetary value,

administrative plans not yet made public, negotiations.

• Information that may prematurely disclose a proposal or

project or may lead to the financial gain or loss of a third

party.

62

Discretionary Exceptions

Disclosure Harmful to Individual or Public Safety – s.37

• Includes mental or physical harm.

• Threat could be to third party or applicant.

63

Discretionary Exceptions

Disclosure Harmful to Labour Relations Interests of

Public Body as Employer – s.38

• Protects labour relations information of government

as employer.

64

Public Interest Override

• Most discretionary exceptions to disclosure would

not apply where public interest in disclosure is

clearly demonstrated as outweighing the reasons

for the exception.

65

Redaction Exercise 2

66

Part 6 – Interactions with the OIPC

67

Time Extension Requests

• If after receiving an access request and initiating

searches and consultations it becomes apparent that the

final response timeframe cannot be met, Public Bodies

must apply to the Commissioner for an extension.

68

Time Extension Requests Deadlines

• The request must be received no later than 15 business

days after receiving the access request.

• The decision of the Commissioner will be provided within

3 business days after receipt of the application.

• The time to make an application and receive a decision

from the Commissioner does not suspend the final

response time limit.

69

69

Time Extension Requests Details

• Name and contact information of the public body and Coordinator.

• Public body file number.

• Wording of the access request.

• Date the access request was received by the public body.

• Original due date of request.

• Copy of the advisory response letter (with PI redacted).

• Information regarding any estimate of cost.

• Work done to date to process the access request.

• Work remaining to be done to process the access request.

• Can the public body release information in batches as records are

processed.

• Length of time extension being requested.

70

70

Time Extension Requests

Considerations

• The Commissioner will consider approving a time extension application

under the following circumstances:

– Insufficient details provided by the applicant

– Large number of records requested or to be searched.

– Responding within the time period would interfere unreasonably

with the operations of the public body.

– Multiple concurrent requests by the same applicant or two or more

applicants working in association.

– Third party notice has been given.

– Consultations are necessary.

– The Commissioner considers it fair and reasonable to grant an

extension of time.

71

71

Time Extension Requests

• Where approval is granted the public body must notify

the applicant:

– of the reason for the extension;

– of the commissioner’s approval; and

– when a response can be expected.

• The notification must be in writing.

72

72

Disregard Requests

• The request must be received no later than 5 business

days after receiving the access request.

• The decision of the Commissioner will be provided

within 3 business days after receipt of the application.

• The time to make an application and receive a decision

from the Commissioner does not suspend the final

response time limit.

73

73

Disregard Requests

• The public body must establish that:

– the request would unreasonably interfere with the

operations of the public body;

– the request is for information already provided to the

applicant; or

– the request would amount to an abuse of the right to

make a request because it is

• trivial, frivolous or vexatious,

• unduly repetitive or systematic,

• excessively broad or incomprehensible, or

• otherwise made in bad faith.

74

74

Disregard Requests

• Where approval is granted the public body must notify

the applicant:

– of the reason for the refusal to respond;

– of the commissioner’s approval; and

– that the decision of the public body may be

appealed to the Trial Division.

• The notification must be in writing.

75

Extensions and Disregards – Scenario 1

It is Day 15. You have just processed a huge request, and it

is ready to go out the door. Just as you are about to hit

send, an employee calls you with bad news – they just

found five more boxes of papers relating to the request.

What can you do?

76

Extensions and Disregards - Scenario 2

It’s Friday! You have 7 active requests and you think you

have them under control – they are big but you figure with

a bit of extra work you will just manage to get them all

completed on time.

You take a break from redactions to check your email,

and…. You just received 8 new requests.

What can you do?

77

Extensions and Disregards – Scenario 3

An employee was fired by your department three years ago. Since then, she has made 20 ATIPP Requests about the decision. You have provided documents with her name, all records involving her situation, and all emails sent around the time frame she was fired. You believe you have given her everything that could possibly relate to her situation. She has stated that she is so upset about what happened she will do anything she can to ‘get’ the department.

Today, you received 3 requests from her – two ask for the same records with different wording, the other is a question – why does the department see fit to fire good employees?

Is there anything you can do?

78

Access Complaints

• Coordinators will be sent notification when an access

complaint is received at the OIPC.

• OIPC provides Guidelines which are designed to assist

Coordinators in responding to the Complaint.

• Informal resolution deadline = 30 business days from the

date the complaint is received.

• Commissioner’s Report deadline = 65 business days from

the date the complaint is received.

79

Access Complaints

• Generally the OIPC will require:

– a copy of the Complainant’s access to information request;

– a copy of the public body’s decision letter;

– any correspondence to or from the Complainant or any affected

third parties regarding the request;

– a complete copy of the records sent, if any, to the Complainant;

– a complete copy of the records responsive to the request; and

– any other information you think appropriate to provide in

response to the Complaint.

80

Access Complaints

• You have 10 business days to make representations

justifying your reliance on any exceptions to disclosure you

have claimed.

– This may be the only opportunity to make a submission.

• You must include the reasons for the refusal and the

sections or subsections on which the refusal is based.

• If applicable, you must provide evidence that you have

considered the public interest in disclosing this information

and why you believe that disclosure is not required by this

section.

81

Access Complaints

• Records responsive to an access to information request

which are provided to our Office will not be disclosed by

this Office under any circumstances.

• All subsequent correspondence between you, the

Complainant and any affected third parties regarding the

request/complaint must be copied to our Office.

82

Reasonable Search Complaints

• OIPC Review will ask:

– Steps that were taken to identify and locate;

– Where (physically and technologically) you searched;

– Types of searches conducted (keyword, physical);

– Who conducted the searches; and

– Why the public body believes no records exist.

• It is possible to have conducted a reasonable search and still not locate the document(s).

• Records management issues discovered in such in a scenario should be addressed as they will not be accepted as a reasonable explanation in future cases involving the same public body.

82

83

83

Reasonable Search Complaints

• There is some onus on the Applicant to present a

reasonable basis for thinking a record exists or that an

adequate search has not been conducted.

– Examples include – having possession of a document

that was not found in the search; media reports exists

regarding the record; other evidence of the

document’s existence.

84

Deemed Refusals

• Occur where a public body does not provide any

response within 20 business days.

• The OIPC will investigate the reasons for the lack of

response.

• Processed the same as access complaints related to

redactions.

85

Privacy Complaints

• Coordinators will be sent notification when a privacy

complaint is received at the OIPC.

• The OIPC must process the Complaint as expeditiously as

possible, and will begin with informal resolution

attempts.

86

Privacy Complaints

• Generally, the OIPC will require:

– A response to the issue(s) raised by the Complainant;

– Any document related to the complaint and any other document

which might assist in clarification or resolution of the matter;

– Any policies or procedures the public body has that relate to the

complaint;

– Any remediation plan developed to deal with privacy breaches;

– Any comments that you wish to make in response to the

allegation of the Complainant.

87

Privacy Complaints

• The OIPC will also often ask a series of questions to assist

us in better understanding the circumstances.

• You must provide a response to those questions as well.

88

Privacy Complaints

• You have 10 business days to provide your response.

– This may be the only opportunity to make a

submission.

• All subsequent correspondence between you and the

Complainant regarding the Complaint must be copied to

our Office.

• Commissioner may initiate a privacy breach investigation

without a complaint.

89

Refusal to Investigate

• The Commissioner has the power to refuse to investigate a Complaint at any stage of an investigation.

– the head of a public body has responded adequately to the complaint;

– the complaint has been or could be more appropriately dealt with by another procedure or proceeding;

– the length of time that has elapsed would be likely to result in undue prejudice to a person or that a report would not serve a useful purpose; or

– the complaint is trivial, frivolous, vexatious or is made in bad faith.

90

Response to the OIPC

• Ensure that all public body records provided to the OIPC

are numbered, indexed and a table of contents is

provided.

• Ensure that the OIPC can easily determine what

information has been redacted.

– Highlighted copies.

91

91

Questions