Presentation to the Union of Municipalities of New Brunswick 2013 Annual Conference Fredericton, NB – October 4, 2013.

New Era of Access to Information and

Privacy

Presentation to the Union of Municipalities of New Brunswick

2013 Annual ConferenceFredericton, NB – October 4, 2013

On September 1, 2010, a new law regarding access to information and protection of privacy came into effect: Right to Information and Protection of Privacy Act◦ Designed for the public sector◦ Promotes spirit of openness and transparency◦ Grants right to request information relating to the

public business of a public body◦ Grants right to request one’s personal information◦ Obligates public bodies to protect private

information at all times◦ Act “ Came to Town” on September 1, 2012

Introduction

◦ Also created on September 1, 2010

◦ Independent of government

◦ Commissioner: Officer of Legislative Assembly

◦ Impartial oversight body to ensure compliance with Right to Information and Protection of Privacy Act

(as well as Personal Health Information Privacy and Access Act)

Office of the Access to Information and Privacy

Commissioner

Interprets the Act

Informs the public of its rights

Promotes openness and transparency

Provides guidance on how best to apply the new rules

Ensures compliance with the Act

Role of Commissioner’s Office

Receives:

◦ General inquiries about the Act ◦ Complaints regarding responses to requests for access to

information ◦ Notification of privacy concerns or breaches of the Act (the

handling of personal information found in records during its collection, use, disclosure, retention, or destruction)

Investigates and Resolves:

◦ Complaints informally if at all possible

Publishes:

◦ Reports of Findings after investigations (when required)

Commissioner’s Office

RIGHT OF ACCESS

Governed by rules found in Part 2

Request to access records that contain private information

PROTECTION OF PRIVACY

Governed by rules found in Part 3

Protects private information at all times

Right to Information and Protection of Privacy Act

RIGHT OF ACCESS

Only rules for protection of private information found under Part 2 can be considered in exceptions to disclosure

PROTECTION OF PRIVACY

Rules under Part 3 are applied by public bodies to protect private information on a regular basis – not for requests

Separated but related concepts

Personal information− protected based on unreasonable invasion of privacy

Business information− protected based on may cause harm to business

◦ Both types may still be subject to access (Subsections 21(3) &22(3))− Because disclosure deemed not unreasonable invasion of privacy

nor to cause harm

◦ Example: personal information about an officer or employee of a public body deemed subject to disclosure: job classification salary range benefits employment responsibilities or travel expenses

Interaction between the concepts

If information is protected under another statute, the Act will respect that protection unless there is conflict regarding its disclosure

◦ Example: where third party individual or business consents to release of own private information which is otherwise protected by other statute

Public procurement is a good example of such interaction

Interaction between the Act & other statutes

Public Procurement Process and the Act

Appropriate level of confidentiality of business and personal information while promoting transparency and accountability

Rules ensure that the public obtains access only to

information it is entitled to receive

Where request made to access bid information after tender is awarded, municipality must ask the bidder for consent to release the bid information

See Guide for Municipalities on Public Procurement and the Act

RIGHT OF ACCESS

Grants public a right to request information contained in records held by public bodies

◦ Key words: access to information rather than access to records

Promotes disclosure of the information, subject to limited and specific exceptions

Imposes on public bodies an obligation to respect that right of access - duty to assist

Right of Access

Codified in section 9 of the Act

Places a positive obligation for public body to assist applicant with the request, without delay, fully and in an open and accurate manner

Encourages public body to contact applicant:

◦ Clarifies request where unclear

◦ Identifies exact information sought

◦ Assists in reducing scope of broad request where possible

◦ Ensures applicant receives information to which entitled, satisfactory response

Duty to assist

All information regarding the public business of the public body, its activities and functions

◦Found in its records Example: information found in minutes of

meetings, reports, decisions made, handwritten notes, correspondence, emails of staff and officials, text messages, etc.

Includes information created before the Act came into effect

Which information can be accessed?

Process the request from the perspective that favours disclosure

Response should be meaningful

Right of access can only be restricted with specific and limited exceptions

Time limit to respond is 30 days, unless authorized to extend time limit

Processing access requests

Two types of exceptions:

◦Mandatory: public body has no choice but to withhold the information requested

◦Discretionary: head of the public body must come to a decision whether or not to disclose the information Based on relevant considerations existing at

the time of the request

Exceptions to disclosure

Examples of Mandatory exceptions to disclosure

◦ Information that reveals recommendations to Executive Council

◦ Information provided in confidence to a government

◦ Information from a harassment or personnel investigation

◦ Personal information where head is certain disclosure would be an unreasonable invasion of the individual’s privacy

◦ Business or financial interests of a third party where head is certain disclosure might cause harm

Mandatory exceptions(Division B of Part 2 of the Act)

Examples of Discretionary exceptions to disclosure

◦ Advice or recommendations made to a public body

◦ Solicitor-client privilege information◦ Plans not yet implemented ◦ Confidential evaluations ◦ Information, if released, would be harmful to:

governmental relations legal proceedings an individual public safety

Discretionary exceptions(Division C of Part 2 of the Act)

For any Discretionary exceptions to disclosure, head of the public body:

◦ Must first consider disclosing the information◦ Ask for consent where applicable◦ Must examine any relevant factor regarding the

disclosure (or non disclosure) existing at time of request

◦ Only decide to withhold the information where refusing access can be substantiated

Decision of head is reviewable by Commissioner or the courts

Rules for discretionary exceptions

Time limit for responding can be extended in two ways:

◦ Can self extend up to an additional 30 days if processing request falls within categories described in subsection 11(3)

◦ Can apply to Commissioner for an extension of time Public body must establish reasons why more time is

needed Commissioner will encourage partial responses in

meantime where appropriate

Time limit to respond

An applicant not satisfied with the response has two options:

Refer the matter to the Court of Queen’s Bench for review (legal application, must file within 30 days)

Or

File a complaint with the Office of the Access to Information and Privacy Commissioner within:

60 days of receiving response, or 120 days from making request if did not receive a

response

If the response is not satisfactory?

Commissioner must investigate all complaints

Will first attempt to resolve the matter informally To the satisfaction of both parties In accordance with the Act While providing guidance on application of rules

Have designed interactive complaint resolution process for municipalities

If informal resolution is unsuccessful, formal Report of Findings will be published

May contain recommendations

Access Complaints filed with the Commissioner

When the Report contains recommendations, the public body must:

◦ Comply with the recommendations within 15 days, or

◦ Within 15 days, notify applicant and Commissioner of its decision not to accept the recommendations Will trigger applicant’s right of appeal to the courts

When the Report does not contain any recommendation:

There is no right of appeal and only recourse is judicial review of Commissioner’s decision

Commissioner’s Recommendations

Consider the benefits of making information available to the public on a regular basisExamples:◦ Agendas, ◦ Minutes of meetings, ◦ Travel expenses, Range of salaries,◦ Reports and records on how decisions were made,◦ Etc.

Good practice:Proactive disclosure

Elected officials generate two types of records:

• Records that will be brought to a public body for further action• These records are subject to the Act

• Constituency records – will not be brought to any public body for further action• Not subject • Privacy considerations

Records of elected officials

PROTECTION OF PRIVACY

Public bodies are responsible for protecting the personal information in their possession.

Act establishes rules governing the handling of personal information, including during its ◦ collection, ◦ retention,◦ use, and◦ disclosure.

Protection of Privacy

What are the rules?

Guiding principles to collect, use and share personal information:

ONLY THE MINIMUM AMOUNT NECESSARY

and

LIMITED TO THOSE WHO NEED TO KNOW TO CARRY OUT THE PURPOSE

When personal information (that identifies a person) is:

◦ Lost

◦ Stolen

◦ Collected, used, shared or disposed of in an unauthorized manner or without consent, or

◦ Accessed by an unauthorized person

What is a privacy breach?

Lack of attention, errorsEmail sent to incorrect recipientEnvelope sent to wrong person with same name Incorrect fax number not verified before sending

Loss or theft of the information

Lack of security safeguards USB keys, portable computers - not password protected Not keeping sensitive records in locked cabinets, storage areas

Unauthorized access or disclosure Sharing personal information outside scope of work duties “Snooping” – intentional violation

Most common causes of Privacy breaches

Contain the breach Assess the risk of harm Notify affected persons Notify Commissioner’s Office

◦ Provided guidance and assistance◦ Mandatory for some – health care providers

Implement corrective measures to prevent future occurrences

What to do if breach occurs?

THINK before you speak!

CONSIDER before you write !

PAUSE before you click !

Best safeguards!

How to Contact us

230 - 65 Regent Fredericton, NB E3B 7H8

Tel/Tél: 506.453.5965Toll-free/Sans frais: 1.877.755.2811

Fax/Fac: 506.453.5963

www.info-priv-nb.ca

Email/Courriel: [email protected] accès.info.vieprivé[email protected]