Freedom of Information and Protection of Privacy Committee -- Issue No. 2 -- Wednesday, November 5, 2003

2003 Legislative Session: 4th Session, 37th Parliament
SPECIAL COMMITTEE TO REVIEW THE
FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT
MINUTES AND HANSARD

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO REVIEW
THE FREEDOM OF INFORMATION AND
PROTECTION OF PRIVACY ACT



CONTENTS

		Page

Ministry of Management Services and the FOI Act		19
	L. Gilliland
	C. Norman
	S. Plater
Subcommittee on Agenda and Procedure		34

Chair:	* Blair Lekstrom (Peace River South L)
Deputy Chair:	Mike Hunter (Nanaimo L)
Members:	* Bill Belsey (North Coast L) * Harry Bloy (Burquitlam L) * Jeff Bray (Victoria–Beacon Hill L) * Tom Christensen (Okanagan-Vernon L) * Ken Johnston (Vancouver-Fraserview L) * Harold Long (Powell River–Sunshine Coast L) * Sheila Orr (Victoria-Hillside L) * Barry Penner (Chilliwack-Kent L) * Gillian Trumper (Alberni-Qualicum L) * John Wilson (Cariboo North L) * Joy MacPhail (Vancouver-Hastings NDP) * denotes member present


Witnesses:	Liz Gilliland (Ministry of Management Services) Chris Norman (Ministry of Management Services) Sharon Plater (Ministry of Management Services)

B. Lekstrom (Chair): Well, good morning, everyone. I would like to welcome everyone this morning to the Special Committee to Review the Freedom of Information and Protection of Privacy Act. I apologize for the delay in starting. We will have some members joining us shortly. They are in other meetings at the present time.

It is a statutory requirement that this piece of legislation be reviewed. It is certainly a complex piece of legislation. Having read it from cover to cover, I can tell you that it was just intriguing. It is very interesting and affects the lives of many British Columbians and, I think, is important to the openness of government. Regardless of what political party is in power, it's very important that access to information is available when appropriate to the public and organizations who request it.

Today what we would like to do is have an overview presented to us from the Ministry of Management Services. We will go through that overview — really, how the ministry works with this piece of legislation, the administrative opportunities that are there. Certainly, if there's information that the presenters have on what they think would make this piece of legislation more workable, I would encourage them to put that forward as well. We will be hosting public meetings around the province as well as accepting written submissions. We will get into that part of our discussion as a committee in trying to put that agenda forward later in this meeting today.

Rather than take up a lot more time, I would like to at this time welcome Liz Gilliland, Chris Norman and Sharon Plater, who will give the committee the overview. Again, I will apologize for the members that will be joining us throughout the next ten or 15 minutes, but as people come in, please just continue with your presentation.

With that, I will pass the microphone over to you to begin the presentation. Again, welcome, and thank you for coming.

L. Gilliland: Thank you, Mr. Chair. I'll just make some introductions so everybody knows who we are, as you may be seeing a bit of us over the next little while on this topic.

I'm Liz Gilliland. I'm the acting chief strategist and government CIO at the Ministry of Management Services. Chris Norman is the executive director of government information strategies, policy and legislation, in the ministry as well. Sharon Plater is the director of the corporate privacy and information access branch. Chris and Sharon will have the greatest depth of knowledge and expertise in this area and I know will be a very strong resource to you as you consider the implications of the review and have questions to ask. To comment, we will be coming back as a ministry with a corporation submission. We look forward and thank you very much for encouraging us to do that.

As we go through the presentation today, we're going to cover a series of things. I wanted to review up front what the role of the ministry is as it relates to the legislation — we are quite unique in B.C., so it's very useful to do the historical perspective; how we got to where we are here; the overview of the legislation; and then a really detailed view of key provisions, which, although it's dry material, is really critical, particularly when we have members of the public who are very concerned about having access to information. That's a good reminder for all of us, as we go through the nitty-gritty of it, that this is based on very real and important things.

We'll have a look at the first special committee review, recent amendments and the Personal Information Protection Act. Then we'll have time at the end for questions. I do have to leave within the next 45 minutes, but as I said, Chris and Sharon will be your constants. They have way more expertise in the area, in fact, than I do.

There are three key players in the arena covered by this legislation. They have interdependencies and interrelationships with each other, but they each have very particular roles that they play. From our point of view, it's important for us to remember what those roles are and where the edges of the playing field are, in a sense, for each of the key players involved.

The information and privacy commissioner is, as you know, an independent oversight body, and it monitors compliance with the legislation. In a sense, we often think of that role as very similar to an appeal court judge. That is where you go related to compliance, related to issues of: "Are there external bodies that want to question compliance?" That is definitely where they will go.

Ministry of Management Services. Our minister is responsible for the legislation, and the ministry, under the leadership of Minister Santori, has the responsibility for the policy framework that the legislation functions in and also for developing administrative standards. We can develop the standards, the policy framework — the architecture, in a sense, for corporate government, for how the legislation is administered on the ground. We're also responsible for developing tools and supports that enable the ministries to function appropriately under the legislation. Where there are external bodies that are relevant, we will provide tools and support for them as well. When it comes right down to it, the actual delivery under the legislation happens with ministries and other public bodies. They are responsible for administering it, the doing of it.

You can see the three arenas. There's the big arena where there are issues of compliance and overall monitoring; there's the arena that sets the policy framework, develops the tools; and then there's where it happens,

which is in individual ministries and organizations. Those are the big three arenas we function in.

I'm going to hand this over to Chris now, who is going to talk in a little bit more detail about the ministry's role and will provide the rest of the presentation.

C. Norman: I sort of feel I'm living proof that dinosaurs are not completely extinct. I was certainly around at the genesis of this legislation and also had the good fortune to be a part of the creation of the Personal Information Protection Act. There are one or two dinosaurs still around, and this one can answer a few questions. I'm also sensitive to time, but if it is of use to you as we go through some of the provisions, if there's a question that comes to mind that you feel would be very relevant for us to try to answer at that time, we would certainly be prepared to do that — if that's agreeable to you.

As Liz mentioned, the act assigns responsibility to a minister, and that minister is the Minister of Management Services. In supporting the minister in meeting these responsibilities under the legislation, there is a central branch, or a central agency, called the corporate privacy and information access branch. It provides a number of central agency services. One is general advisory services to the approximately 2,200 public bodies that are covered under this legislation. In doing that, it also develops corporate policies, procedures and a range of tools that assist those public bodies in meeting their responsibilities under the legislation because, as mentioned, individual public bodies have the ultimate responsibility for making decisions — that kind of thing.

The branch also coordinates what are called cross-government requests. These requests that come in are multiple-ministry requests that would essentially be the same requests sent to a wide range of ministries. This branch provides some kind of coordinating support for that, with a view in mind of trying to provide the best answer and, as much as possible, a coordinated one.

It compiles the requests for legislative changes and manages that legislative amendment process. We'll touch on two recent rounds of amendments that just went through in spring of 2002 and spring of 2003. It processes adjudication requests. We'll touch a bit on what the adjudication is. It actually tends to be a misunderstood part of the legislation, but we'll talk a bit about that. It reviews privacy impact assessments for all new projects, government legislation systems and programs across government. This was an assessment tool that's been in place for some time, but one of the recent amendments made this a mandatory requirement for ministries.

It designs training materials and provides training sessions. It manages two broad-based corporate data systems that are related to the legislation.

In addition to supporting the legislation, the minister also has some formal duties prescribed by the act. These include maintaining and publishing a personal information directory. B.C. is the only province in Canada that actually provides this type of directory. It's unique in the country, and it's a very important step forward in privacy protection. The minister also has specific responsibility with respect to establishing directions for preparing privacy impact assessments and information-sharing agreements, which again are very important as government moves toward partnerships in providing information or in sharing information.

The minister also has regulation-making power to bring new bodies under the coverage of the legislation. This again was a change. It was a recent order-in-council, a cabinet decision, to bring in new public bodies. That authority has been given to the minister, under ministerial regulation, to add new public bodies with the view of expediting the addition of public bodies as well as preparing an annual report. The corporate privacy and information access branch — just to give an indication of the strategic decision to put together the broader information issues in government — also has responsibility for the new Personal Information Protection Act, which just passed a few weeks ago; the Electronic Transactions Act; and a document described as a fine piece of Depression-era legislation called the Document Disposal Act, which was passed in 1930-something.

J. Bray: Does your branch handle it, then, if there are new MOUs going between a particular ministry where we're going to be accessing federal data sources for various forms of data matching? Is it your branch that provides assistance to the individual ministry, or do you actually handle those negotiations with respect to both the federal department — usually the tax branch — and the federal privacy commissioner's role in that?

C. Norman: We would primarily provide a support role to that. The ultimate responsibility for that data sharing, or those data partnerships, would exist with the individual ministry or public body. What we would do is provide tools or support. We've offered things like model contract language that could be included so there's a consistency across the board — guidelines or directions or templates that could be used. We would not actually sign the agreement, but we would have involvement and support for that.

J. Bray: Just a follow-up. I know that about four or five years ago the federal privacy commissioner actually came out to British Columbia with some very serious concerns about some of the existing MOUs with respect to, in particular, our access to the entire child tax benefit file — for instance, for family bonus. Although the merge happened in cyberspace, his view was that we didn't have a right to all that information if it was only some people.

There was a sense that these MOUs were becoming more and more difficult to negotiate with the federal government because of the privacy commissioner's

perspective. Would you say that negotiations — the ability to get these agreements approved, from our perspective — have improved over the last five years, stayed the same or become more difficult with respect to the federal perspective on freedom of information?

C. Norman: That's hard to answer definitively. Certainly, my impression is that there's very good rigour around those agreements and that there's a sensitivity on all of the partners to ensure that when you are in a data-sharing arrangement, particularly if the information is sensitive personal information, the various components of the legislation are complied with. I think it's important to emphasize that B.C.'s Freedom of Information and Protection of Privacy Act is generally recognized as the strongest on privacy protection in the country, so bodies in B.C. that are participating in any kinds of partnerships must comply with the B.C. legislation.

S. Plater: Can I just add an answer to that? The privacy impact assessments that Chris Norman referred to just a few minutes ago have come into play in the last five years. A public body now, when they're contemplating making new MOUs or going into information-sharing arrangements, would need to complete a privacy impact assessment. That would catch some of the things that the federal privacy commissioner was alluding to. Hopefully, now they would be addressed before it ever got to the actual setting-up of the MOU.

C. Norman: As far as some historical perspective on the legislation — and I guess it's ten years old now, so it's historical — the act passed unanimously in June of 1992 after a very intensive legislative development process, which was a very busy six-month period, but based on other legislation. We had the benefit of having the Ontario legislation in place, which was actually a very good model to start with. It's generally viewed that we improved on that model, and then Alberta followed it. It's been a very interesting kind of replication of statutes across the country.

Proclamation occurred in October of 1993. This was to allow public bodies to prepare for the legislation. This was an important message we received in the development of the statute, and we worked with public bodies during that period. This was for provincial public bodies, I need to emphasize. The act was amended in '93 in an amendment act which extended coverage to local public bodies and to self-governing professions. Then there was a staged proclamation. Local public bodies were covered in November of '94 and self-governing professions in May of '95.

B.C. is still the only jurisdiction in Canada that covers self-governing professions, and its coverage of local public bodies is, again, wider than any other jurisdiction. For example, in Ontario, hospitals are not covered under their public sector statute, nor are universities — even though colleges are covered. We have the broadest range of coverage, and that actually became very significant when we looked at the Personal Information Protection Act, which we'll touch on a bit later.

There was a provision in the statute at the outset that there would be a mandated, all-party legislative review of the legislation. It had to start by 1997, which it did, and it reported out in the summer of 1999. We'll talk a bit about that. The significant thing there was that it was initially mandated as one legislative review. The act has been amended since to do a review every six years. We'll move to a general overview of the legislation, and we'll start to get into some of the detail.

The general overview covers essentially what the act is all about at the higher level. It is generally seen and I think has been increasingly viewed as being government's primary legislative statement on its commitment to openness, accountability and privacy protection. I think that's an important point and certainly has been recognized as such. As I mentioned, it's recognized as both the most open and the strongest on privacy protection and the widest in scope in Canada.

The Freedom of Information and Protection of Privacy Act is unique in many types of legislation (1) in its visibility, (2) in its profile and (3) in its cross-government application. This legislation covers every public body and places responsibilities that in many cases are the override of responsibility on this area. The legislation provides the legislative structure necessary for the successful implementation of e-government and alternative service delivery types of initiatives. So anything we do that involves information, this legislation provides that legislative infrastructure within which we develop those things.

Some statistics that might be useful. There are approximately 2,200 public bodies. We continue to say "approximately" because it's difficult to determine the exact number of them because of the nature of some of the relationships that exist, but that's a reasonably reliable number. Ministries receive approximately 5,500 requests for access per year. That's actually a very high percentage; B.C.'s percentage of per-capita requests is the highest in the country.

It's estimated that all public bodies receive a total of over 20,000 FOI requests per year. Approximately 5 percent of all those requests really lead to a request for review before the information and privacy commissioner. Of those approximately 1,000 complaints, the commissioner's office mediates approximately 92 percent, so it's a very good track record of compliance and a very track record of mediating and ensuring…. Even of the 8 percent that go on to a non-mediated kind of settlement, I understand that the majority of those are successfully dealt with and in favour of the public body — i.e., the finding is that the public body was acting appropriately.

The volume of requests. In 1994, the first full year, there were 4,745 requests. That level peaked in '96 with 6,502, and then they've started to go down since that point. Some interesting numbers here are that B.C. receives three times as many requests per capita as does

Ontario and four times as many as Alberta. We found it interesting, at one point, to realize that ICBC and Ministry of Children and Family Development each receive as many requests as the entire province of Alberta.

B. Lekstrom (Chair): We do have a question. If I could, I'll go to Mr. Christensen.

T. Christensen: I think I recollect that one of the concerns when the act was first being discussed and brought into force was whether governments would back off from routine disclosure of information and basically require people to use the access-to-information provisions to get anything. That certainly hasn't been borne out. The intent has been to try and increase the routine disclosure of information so that people don't even have to use the act.

Can you comment briefly on what progress we have made or are making in ensuring that, to the greatest degree possible, information is being made accessible so that the act really only needs to be used in circumstances where some part of a document may be excepted from disclosure or where privacy needs to be protected.

C. Norman: You're correct that the intention is, I think…. Some of the early terminology was that the act would be sort of Maytag repair legislation that would be used only in very infrequent cases.

I think that philosophy still exists. I think in the very early days there was some difficulty around routine release, in part because of the delivery mechanism. How is it that we were going to be able to make that routine information available? How were we going to get the information out about that so that people knew they didn't have to invoke an FOI request to try to get access to some of that material?

As you know, the FOI Act, because it was prepared and passed in 1992, was for all intents and purposes kind of pre-Internet. In fact, some of the early systems we developed to support it were even pre-Windows systems. Windows occurred while we were developing the systems, and when they came out, people would look at them and go: "It's not even Windows. How do we use this thing?"

That's been a pretty radical tool that's come. Ministries have invested and are continuing to invest — and not necessarily culminating, but greatly assisting with things like the government portal and other kinds of infrastructure — to make information available routinely through their websites, through portal access, through electronic services and electronic information-dissemination processes. There's a vast amount of the kind of information people are looking for which is now readily available either directly through a person's Internet link from home or through libraries or through other public access terminals that essentially allow us to have a better vehicle to accomplish that intention.

What you're really finding more and more — and I'm hopeful that trend will continue — is that the legislation really is there to address those specific instances where either there's a personal information requirement which you are required to go through processes of FOI or there are certain mandatory exceptions around things like cabinet materials or third-party business information where the public body really does not have an option. It needs to go through that process of rigour and making an assessment of the appropriateness of releasing that material.

T. Christensen: Do you have any idea of what percentage of the 5,500 requests last year would have resulted in disclosure of information without anything being held back?

T. Christensen: That's something we do track. I'm just looking for some flavour of how much or to what extent the act has got to the point where, really, when a particular request is made, the act is wholly relevant to that request in that there's some information that needs to be excepted.

C. Norman: We can give you those numbers. We do have a central request tracking system that ministries utilize in logging and tracking their requests. It allows us to generate some of those kinds of numbers. We can certainly provide that to the committee. We'd be happy to do that.

C. Norman: What does the act do? In the purpose statement of the legislation it's very explicit about emphasizing two broad purposes. Sometimes they're described as a balance of purposes, but really it's more appropriate to look at them as two specific types of purposes.

The first is around openness and accountability. The act explicitly states that it gives the public a right of access to records with limited exceptions. While we've come to recognize that as a standard approach, at the time that was seen as a fairly important change by stating that there was a right of access. It gives individuals a right of access to and the ability to request correction of their personal information. It provides independent oversight by the B.C. information and privacy commissioner. Again, the importance of oversight is not only critical with respect to the public sector statutes, but that was emphasized as very important for the Personal Information Protection Act when we were in the development of that statute.

The other arm of the legislation is the protection of privacy. It addresses the collection, use and disclosure of personal information and ensures that that's done appropriately.

Who's covered by the act? All provincial ministries, agencies, boards, commissions; most Crown corporations; local government bodies — for example, municipalities and police boards — health care bodies; educational bodies; and governing bodies of a profession or an occupation — things like the Law Society, the College of Teachers, the College of Physicians and Surgeons. They have FOI and privacy responsibilities of their own right.

B. Penner: Sorry to interrupt at this juncture. I notice that you say that most Crown corporations are included. Evidently, some are not. Do you have any explanation for the rationale as to why some would be included and some would not? I've been advised, for example, that B.C. Hydro — I think the largest Crown corporation in the province, at least in terms of assets — is not covered by freedom-of-information legislation. Is that correct?

C. Norman: That is not correct. The only Crown at the outset that was specifically excluded from coverage was B.C. Rail. There was a very compelling case made at the time to indicate that because of the deregulated environment in which they operated, even the exceptions that were provided would not have protected some of the proprietary information that they needed protected. B.C. Hydro, ICBC and the other major Crowns are covered by the legislation. Sharon, do you have examples of ones that would not be covered other than those?

S. Plater: The only ones that wouldn't be covered now are some of the new corporations that are being developed. There have been some in the rapid transit area, and I can't remember their names specifically at this moment. They are some of the new, smaller offshoots that haven't been brought under the legislation.

C. Norman: The new ferry corporation, for example, would not be covered because it doesn't meet the test of a public body.

J. MacPhail: BCTC isn't covered either — the B.C. Transmission Corporation?

J. MacPhail: And the organizing committee of the Olympics isn't covered either.

Who is not covered by the act? Members of the Legislative Assembly, the Provincial Courts, the Supreme Court and Court of Appeal, and the operational activities of officers of the Legislative Assembly. How this works is that officers of the Legislature such as the ombudsman, the information and privacy commissioner, the auditor general…. Their operational records are not covered. In other words, the case files of the ombudsman's office would not be covered, but the administrative records of those offices would if you wanted to get access to their budget materials or their broader-based administrative materials. That's the split in those particular offices.

What kinds of things are covered in the legislation? All records in the custody or under the control of a public body. This definition is important because, as you know, in many arrangements a public body may have control of records but might not have actual custody of those records because they might be held somewhere else either for processing purposes or types of relationships. The act covers the broad spectrum. That's a very important definition.

Both personal information and non-personal information are covered. It's very specific about that. The kinds of records that are specifically excluded — there are some exclusions — are things like records related to active prosecutions, teaching or examination materials, records of elected officials and of local public bodies, and personal donations or personal types of material in a public body archive. If an individual donates their records to an archive, it's not considered a government record, so it would not be covered by the legislation.

The act is divided or constructed in six different parts. There are the introductory provisions — largely the kind of material that we just talked about. There is the freedom-of-information part, which is part 2. That goes into the access rights and exceptions, protection-of-privacy part, the part dealing with the office and powers of the information and privacy commissioner, the part on reviews and complaints, and then some general provisions at the end of the legislation.

The act also includes three schedules at the end. The first schedule provides definitions of terms used in the legislation. The second schedule deals with the types of provincial public bodies covered under FOIPPA. Those bodies are identified by definition. There's a definition in the statute that says if you meet certain tests — any part of those — you would be eligible for coverage, and then it goes back to the ministerial regulation that we talked about a second ago. Then there's a schedule on the governing bodies of professions or occupations. Those would also be added to as new bodies are created.

S. Plater: I would just mention that the second schedule up there is where bodies like B.C. Hydro, the Egg Marketing Board and such entities as that are covered. Agencies, boards and commissions are usually covered under there.

C. Norman: It's perhaps important to note that with respect to the two latter schedules, bodies can be added

by ministerial regulation. They cannot be removed except by amendment. That was put in specifically.

Part 2 of the legislation. This part talks about how to make an FOI request. It must be in writing. There was some discussion early on in one of the changes to the legislation to try to articulate that the request needed to be in sufficient detail that a public body could actually understand the request coming in. There had been some experience where it was difficult for a public body to understand what was being requested, but the time clock was ticking for that public body. We tried to provide some clarity around that process.

There is a duty to assist applicants. The act is very specific about doing that, although there's not a duty to create records. If an individual is asking for a request to records, not necessarily to information…. If a person asked for some information, you would not necessarily be required to go in and create documents to provide that information. Many ministries do respond to those kinds of requests, but it would not be part of the FOI process.

There are time limits for responding to requests, and there are time limits for transferring requests to other bodies. So a request goes into one body, and they find that they don't have the records, but they assist the individual in finding where those are, and they are able to transfer that request to them.

There's information around the criteria for the contents of a response — reasons for denial, the right to review and those kinds of things — which must be transparent and a part of the process.

I won't go into a huge amount of detail as far as the exceptions to access except to mention that there are essentially two categories of exceptions, remembering that there is a right of access. So it's a right of access unless an exception applies to some part of that information. There is the concept of severability, and that's an important responsibility on a public body. If there is some part of a record that an exception applies to, the requirement is that you could remove that part, and the remainder of the record would be released. We've all seen examples of a document shown, and there are blacked-out portions on that particular document. Well, the blacked-out portions are there because the public body has made an effort to take out the parts that they are required or feel is necessary to take out and try to release the remaining part of that information.

The mandatory exceptions are ones dealing with cabinet and local government confidences, disclosure harmful to the business interests of third parties — so proprietary types of information that government does hold and would be harmful to a third party — and disclosure harmful to an individual's personal privacy.

J. Bray: I would imagine that from the public bodies' perspective…. I'm thinking primarily in areas like Children and Family Development or MHR, because those are the majority of requests, and they are: "I want to see what you've got in my file on me and my kids…." First of all, is it fair to say that the greatest sensitivity that, say, MCFD has is making sure that when they're going through those records, they are ensuring that if there's a complaint that's come through the school or somewhere, they're adequately severing out any identifiers of where complaints or reports have come from to protect those individuals who complied under the act to make the reports in the first place? Is that a fair…?

C. Norman: Yes. I think it's fair to say that a very important responsibility for personal information ministries such as that would be to ensure that while an individual would be entitled to their own information…. As we all know, oftentimes an individual's file would be intertwined with personal information of others — either other family members or people that have had involvement with them in some way or another, who themselves in some cases may not even know that information is in that file but certainly would not have been in a position to consent to it or to agree to that. That's a very important responsibility for those public bodies.

But in certain circumstances they may be required to make assessments, particularly in difficult cases where the release of the information to the individual might result in some harm to that individual. That is an exception in the statute which they also need to administer.

J. Bray: My follow-up question is…. Say I want my file. I get my photocopies of my files and the severing has gone on. You've got mandatory and you've got discretionary. Am I given a generic explanation, or am I given a specific explanation for the severances? In other words, when I say, "Why are those blacked out?" do you say: "Well, that's because those are people who reported you"? Or is it, "Here are all the reasons," and it fits within that explanation?

S. Plater: It really varies betweens ministries as to how they mark the files when they go out. Some of the ministries will mark in each particular section, so they'll have a stamp that says section 22 or section 17. Then in the letter it will say that section 22 information was removed to protect the privacy of third parties. That's usually as specific as it gets.

It will vary between ministries. One of the large corporations has a template that it sets up, and it describes each page, the information that was removed, and will give some detail without revealing what the information itself was.

J. Bray: My third question then is: for those ministries like MCFD that get a huge amount of these requests within government and direct government, have they changed their file structures, their electronic running records — those types of things — to better

accommodate the places where they're putting information that likely would be severed versus the ongoing running record that a social worker might be keeping on that file or resource, to try to ease the process both for potential applicants for the information and for the poor FOI manager person who's trying to figure out what the severing…? Have they made any move towards that or requested some guidance on that?

S. Plater: Some ministries have, and they've looked at ways they could file information that was routinely available in one section of the file and information that would need to be reviewed under the FOI Act in another section. Yes, they have made a lot of progress in that regard.

I wanted to go back, though, to your first question. The legislation that the Ministry for Children and Family Development operates under has its own access and privacy regime within that legislation. One of the things that it requires to be protected is the identity of an individual reporting issues around a child. It's under the child protection portion of that legislation. In terms of a request coming in for access, that ministry is required to look at both the FOI Act and their governing legislation.

G. Trumper: I was just looking at the local government competencies, which are mandatory. Does that take into consideration their protocol for what is confidential and what possibly could not be? I go back to the issue of dealing with confidential matters that are dealt with by local government. Sometimes, I think, in the past — maybe not so much now, because it's been made much clearer…. There are times when they've been a bit laissez-faire — that's the word — on what they can treat as confidential and what not.

S. Plater: The act is fairly specific. It says that it's a draft of a resolution, bylaw or other legal instrument by which the local public body acts or a draft of a private bill that they can refuse to reveal information on, or the substance and deliberations of a meeting of its elected officials where there is either an act or a regulation that authorizes the holding of that meeting in private or in the absence of the public. So there are very defined criteria.

C. Norman: My understanding is that many of the municipalities have developed their protocols with that kind of legislative understanding in mind.

J. Wilson: In relation to professional bodies, is individual information FOIable, or is this simply information that would relate to the organization?

C. Norman: If it's information held by the Law Society or a college, for example, it covers both the general and the personal information that that college or self-governing professional body would hold. That may be information that is also held by its members, but the responsibility of the self-governing professional body would be both FOI with respect to their operations, which also has a provision for an individual to ask for their information — which is important — but also privacy protection for the personal information they would collect or hold in their regulatory function.

S. Plater: A lot of the colleges have complaint files that contain a lot of personal information both about the complaint and — say, in terms of the College of Physicians and Surgeons — about the members of that college. People can ask for that information, but then what the college would do is look at the exceptions to determine what they can release and what they would need to be withholding.

J. Wilson: If an individual were to request their own records, would they get them in full, or would they be severed as well?

S. Plater: They would get them in whole if there wasn't any information about another party in that record. A lot of times the record will contain information about another individual. What the college or public body would have to do is determine whether the release of that information about the other party would be harmful to that party. If it was not going to be, they would release it. If it looked like it could be harmful, then they would withhold it.

Under the act, if there's information about another party in the record, they can consult with that third party to say: "Okay, we've had a request. Your information is in this file. Do you mind if it goes out?" If that party says, "No, you can release it," then that information would be provided.

H. Long: It just crossed my mind. I'm going to take a hypothetical where someone has applied to a college of physicians for some information. Even if the information asked for was appropriate, if for some reason the person that was asked for this information had a bad day and did not want to divulge that information, what process is in line to police or to monitor these organizations to make sure that information is forthcoming?

C. Norman: That's where the commissioner would come into play. If an individual asks one of the colleges or any public body for information and they get a response from them, if they're not satisfied with that, hopefully their first recourse would be to go to that organization and say: "I don't understand why I didn't get this information. Can you explain what authority you would have to withhold it? Help me to understand what it is you've done." That kind of thing. Hopefully,

if the person who did that had had a cranky day, they would have gotten over it by the time the person got back to them.

In those cases where that didn't occur and the person was still unhappy with the answer they were getting from the public body, in the response letter public bodies are required to notify them of their right to go to the information and privacy commissioner and have that office look into it on their behalf. Then it starts that process we spoke about earlier.

In many cases what happens is that it gets assigned to someone at that office, and they work with the requester and the public body. In 92 percent of the time they come to an understanding that they might convince the public body to release a bit more information, if that's possible. Or they may explain to the individual that they've done the right thing and this is really all the information you're either entitled to or that they should be giving you. That's an independent process separate from government.

At the end of that day, if an individual is still unhappy, they can go to the quasi-judicial process, and the commissioner would be in a position not only to hold an inquiry on that but to issue an order. The order is a binding order.

C. Norman: We can get you numbers on the exact number of times that it goes.

S. Plater: It's about 1,000 complaints per year. Of those, 92 percent are successfully mediated. You've got 8 percent of 1,000 that would go to the formal inquiry process.

H. Long: Is there a penalty of any kind for not getting the information? Is there any follow-up on someone who may not be giving the information freely?

S. Plater: Most of the penalty comes from the rulings of the commissioner's office, because they're made public. Then it's an embarrassment to whatever public body did not release the information if they….

S. Plater: There are fines in the legislation that could be levied if a public body were to not cooperate with the commissioner or not respond to his order. It would go through the Attorney General's…. The fines would be levied that way. As far as I remember, in the ten years of operation, the information and privacy commissioner has never had to do that.

B. Lekstrom (Chair): Just before I go to Tom, just to follow up. Chris, you were talking about it. My understanding when I read through the legislation is that if a request goes in to a body — traditionally it's in writing — the response coming back on the denial, for instance, if it's that way, has to point out the clause and section of the denial at that point.

T. Christensen: Presumably, at some point over the last decade the commissioner has been asked to provide a little interpretation on most if not all the sections that provide for either a mandatory or a discretionary exception. Does a summary already exist somewhere, where I could get a list of each of the exceptions — I know I can get that out of the act — accompanied by a paragraph or two that summarizes the commissioner's interpretation of that section?

C. Norman: There are a couple of answers to that. First of all, as far as the interpretation of the sections, there is a policy document that is issued centrally which is an attempt to provide interpretation as to what the specifics of a particular section might mean.

I think it's important to understand that with this legislation, like a lot of these types of legislation, in many ways they're interpretive tools. It's very difficult to be definitive or prescriptive down to a specific instance or level on how you might apply the broader interpretive guidance that comes in these statutes. That same challenge existed in the development of the Personal Information Protection Act, where you were dealing with private sector bodies. We weren't in a position — nor was it appropriate, necessarily — to get down and prescribe at a very detailed level. We have tried to provide interpretive guidance in the policy manual and the broad policy direction provided by government.

As far as the commissioner is concerned, the commissioner has issued a fairly substantive body of orders, so there is jurisprudence. I think the commissioner's office itself has been very clear to remind individuals that any orders they get issued are really specific to the facts of a particular case. That's a very important qualification. While they might be useful guidance, as well, and in many cases they coincide with the kind of general policy direction, the commissioner was very clear in indicating that I had a specific case in front of me with specific facts of the case and that the ruling itself is not definitive judgment for all cases that might relate to those specific things. As far as materials, Sharon's branch does prepare summaries of commissioner's orders. We do have interpretive materials on those, and those are available on their website.

T. Christensen: Essentially, what I'm getting at is that as this committee moves forward with its process, we're presumably going to be hearing from various folks about this legislation. I'm assuming at this point that some of them may have something to say about one or another of the exceptions. For my own benefit, I guess, what I'm hoping is that when I hear that submission, I will already have a good idea of how the particular exception has been applied so that in my own head I can monitor whether the submission is actually reflective of the real world.

S. Plater: We have the policy and procedures manual. It's up on our website, but we could provide you copies of these sections for your reference. There's also, I do believe, the commissioner's website, which has a concordance up on the website that shows where he's made rulings on various sections. It will come up at section 22 and then give you the lists of where you can find orders on that. We try to keep the manual current, reflecting new amendments as well as any orders that may have altered the interpretation of the legislation.

S. Plater: It is, and you have a handout in your package. If you look under there, it says: "Policies, procedures and manuals currently being updated." We're still trying to finalize some things on it.

B. Lekstrom (Chair): Chris or Sharon, could we get a hard copy of that, as well, to the committee? For our deliberations, I think it would be helpful if we have to cross-reference it a lot.

B. Lekstrom (Chair): I would take one. I don't think every member needs it, but if we're discussing it as the committee goes on, we would have that.

C. Norman: When we "webified" — that's a term — the manual from the multi-volume set referred to, we did shrink it down quite a bit. It is not quite as huge as the early version and hopefully more useful.

With the exceptions to access, there are the three mandatory and a number of discretionary exceptions. They range from things around policy advice, recommendations, legal advice, disclosure harmful to law enforcement, intergovernmental relations and negotiations, disclosure harmful to financial or economic interests of a public body, or harmful to conservation of heritage sites, the individual or public safety — one that we spoke of a few minutes ago — and the one on information that would be published or released within a very short time frame.

This part of the act also deals with third-party notification, so that if in fact you are considering releasing information of a third-party business interest, for example, the act does provide a mechanism for you to consult with that third-party interest to get their view as to whether or not they would find it okay to release that. The same would apply for personal information. There could be instances where an individual's information is included in a file, and you could go to that individual and say: "This family member has requested it. Do you have a problem with your information going out?" They would have the ability to agree to that.

C. Norman: There is also a specific section on public interest. It's often referred to as the public interest override. That section would identify that if there were an overriding public interest in the release of information, it would address the release of that material.

The third part of the legislation is the part that deals with privacy protection. It is the authority for public bodies to collect, use or disclose personal information. There are very specific provisions in there — for example, under the collection part. It essentially lists the only times that a public body can collect personal information. It's the same with the use, the same with the disclosure. So it's very specific. It provides that guidance and direction, and you will find that many, if not most, of those provisions are replicated in the private sector statute.

This is the part that also provides an ability for a person…. This also deals with accuracy and security, the retention of personal information to ensure that an individual has the right to see their information and the right to request correction of it. So if you in fact access your information and find it's incorrect, you can ask for it to be corrected. Or if it's things like an opinion, you can say you don't agree with that opinion and get a notation put on there to indicate you have a problem with it.

The issues around collection of personal information may only occur under three conditions: when permitted specifically by legislation, when collecting

for a law enforcement purpose or when the information is directly related to and is necessary for the activity of a public body. You must collect directly from the individual. There are very limited exceptions — with certain exceptions — where indirect collection is allowed, and you still have requirements around adequate notification.

Same with use. It's limited to that original purpose or a different use if consented to by the individual or if another statute provides the authority to use a different kind of….

J. Bray: This becomes the more germane aspect of some of my questions. As programs develop over time…. You collected my name, address, income and assets, say, for the Ministry of Human Resources application for the administration of the act…. The act changes over time. It includes the national child benefit. That requires a different use of that information.

In a realistic way to keep this spirit, is there a better way for us to maintain the ability of government to deliver the services that presumably are in the interest of the recipients of that government service, with the fact that now you might be taking that information and sharing it with the Ministry of Health for the delivery of a health benefit or with the federal government for the delivery of the coordinated national child benefit?

How does this act facilitate that versus maybe where we're sharing it with a child and welfare ministry, where it can get hazy as to whether it's actually to the benefit? Is it consistent? Is to the benefit of the applicant sufficient, or does it have to be consistent with: "We're collecting this to give you your income assistance cheque, not necessarily to give you dental benefits for your children"? This is where I see that the thing kind of gets stuck sometimes from a government policy perspective and how we get to the implementation.

C. Norman: I'll let Sharon also provide an answer to this, but I'll attempt to address it at sort of a higher level first.

In the treatment of personal information, what I think is important and what the act tries to do is establish an appropriate balance. That same set of considerations applies when you're looking at personal information protection in the private sector.

The balance I'm speaking of relates to the need for organizations or public bodies to collect, use and disclose personal information to provide appropriate services — in many instances, services that a member of the public either would very much want to have provided or would very much like to have provided. At the same time, there's a high level of sensitivity — particularly as we move into more of an on-line environment — in the public about the potential for data sharing, data matching, profiling and that kind of thing both in the public and in the private sector. We all learned of the power of that public opinion when the HRDC longitudinal database issue surfaced a number of years ago, where it became public that Human Resources Development Canada had this large database that was compiled from linking into a bunch of other types of databases.

Technically speaking, HRDC probably had the authority to have that database. The public reaction to that database resulted in them dismantling that a very short period of time afterward because of the perception issue — the worry that the public had that what you were creating was kind of one big database.

That's also true in the private sector. We heard very loudly in the consultations under the Personal Information and Protection Act a high level of concern of the public to say, "I want rules and I want control around how my personal information is going to be used," particularly as you move from a face-to-face relationship and more to an on-line or a distance relationship. So while the distance relationship and the on-line services are a good thing — and I think everyone embraces that and wants to embrace that — some of the statistics have shown that there hasn't been a full utilization of electronic commerce or a full takeup on some kinds of services because of people's concerns and perceptions around this kind of issue.

What public bodies are having to do with respect to this legislation is try to strike that balance and try to provide the services that you can in the best, most efficient and most usable way but to ensure that an average person in the public has confidence that if they are providing their information for this purpose, it's not going to show up somewhere over here or match for that kind of purpose — which they didn't realize was going to happen at the outset.

It's perhaps not a definitive answer to: exactly how do we solve this kind of issue? It has to be done more or less case by case. That's where the privacy impact assessment tool is so helpful. What it does is give you a way, and a consistent way, of public bodies making that kind of an assessment to say what is appropriate, what's within the bounds and what allows us to strike that kind of balance.

S. Plater: There already was a section in the act that allowed public bodies to disclose information within their own organization if it was necessary to carry out their duties. If they were running, say, assistance for a family, then they could disclose it to the various parties that needed to provide that assistance.

When we did our amendments in the last two years, we added another section. That allows the exchange to occur between public bodies, if there is a common or an integrated program and if the information is necessary to carry out that program of the ministry that it was disclosed to.

That was, in essence, a way of recognizing that there are two or three public bodies, for instance, providing services around one area — it might be health, it might be human resources or it might be somebody else — and allow them to exchange that information in order to provide the services to a group.

B. Lekstrom (Chair): I have two members wishing to ask further questions. I'll go to Joy next.

J. MacPhail: What experience are you gathering — either you or, to your knowledge, the information officer, the FOIPP officer — around video personal information?

J. MacPhail: Well, have you had any experience to date with video surveillance or video information and the personal use of that?

C. Norman: Video information is considered a record under the statute, so the legislation does apply to the collection, use and disclosure of that. There are guidelines that we have provided. I understand that the commissioner's office has also issued some guidelines around the kinds of assessments you'd make as far as the appropriateness of doing video surveillance or video recording. They usually relate to ensuring that the purpose you're trying to accomplish with that technology would be appropriate to the result you were trying to achieve.

In many instances, they have been put in place where there have been either security concerns or safety concerns for employees or the public. Normally, unless the surveillance is with respect to an investigation where knowledge of the investigation might compromise it, that's accompanied with a notice. So when you enter a premise and video surveillance is occurring, there is some notice that would indicate the video surveillance is occurring and there is someone you could ask questions of, if you wished to do that.

The other way this is being applied judiciously — and I think that's probably the way to describe it — is the retention of the information. Some of the video surveillance regimes that are in place wouldn't necessarily be recording the information or would only record if there was an incident — in which case it would actually be used. Sometimes they're on a continuous loop — that kind of thing. There has been a fair amount of interest and guidance around that. I believe it's used fairly judiciously, in a fairly limited way.

J. MacPhail: Just a last question on this: do you anticipate this being a bigger or smaller issue with the new act applying to private institutions?

C. Norman: Certainly, the input we got during the consultations was that the private sector did have instances where they either were considering using it or had been using it. They certainly seemed to appreciate that it is a collection of information, and once you collect that information, you have responsibility for it. I think what the private sector statute will do is not necessarily change the amount of video surveillance either less or more but ensure there's a consistent set of guidelines and a kind of underpinning for doing it.

S. Plater: I wanted to add on to that. If a public body — and this would be ministry-based only — was contemplating doing video surveillance, they would need to do a privacy impact assessment to look at what the impact would be. Part of that assessment is asking themselves all the questions Chris talked about: do we really need to do this? Are there other ways? How are we going to do it? Is there notice? How are we going to retain the information? That sort of thing. So if in fact they went ahead with it, by the time they got to that point, all the privacy issues would hopefully be addressed.

We are developing tools for the private sector legislation, and one of those tools will be a privacy impact assessment that they can utilize when they're going out and developing new systems such as video surveillance.

S. Plater: For ministries it's mandatory that they do that. It's a requirement under the legislation. For other public bodies and for the private sector it's voluntary.

C. Norman: There certainly has been a fair uptake from the private sector, for example — a high degree of interest in having a tool like that. I think they're concerned that this would be a good way to help them understand what their responsibility would be.

B. Lekstrom (Chair): I do have one more member wishing to ask a question, and we do have a significant portion of this presentation still to go. We're quickly running out of time, so I will entertain the question and ask members if they could, unless it's a dramatic question that needs an immediate answer…. We'll try and get through the presentation in the time allotted.

B. Penner: I could defer my question. I thought we were into questions and answers.

B. Lekstrom (Chair): We are, but looking at the thickness of the document and how far we have to get, if we continue at this pace, we will not get through it on this day.

C. Norman: We will speed up, and as far as the latter portions, we can either provide you with follow-up information, or we can leave it at your leisure.

The disclosure material. Again, these are the only grounds for providing that. There's a comprehensive list in the act that gives you when you can disclose personal information.

The next section deals with accuracy and correction. It's enough to indicate at this point that there are

responsibilities assigned to public bodies to make a reasonable effort to ensure that the information is correct and to correct it if it's not.

Provisions around security and retention. You must take reasonable steps to ensure that the information is secure, and you must keep it for one year after the information was last used to make a decision about an individual so that they have the ability to question with respect to that decision.

B. Lekstrom (Chair): Chris, just to jump in, when I said we were quickly running out of time, we do have probably 20 to 25 minutes. At the pace we're going through, we may be done within three minutes now. To give a bit of a ballpark on time, we are scheduled to wrap up at noon, and we do have some business at the end of the session — probably ten minutes.

C. Norman: Okay. Under the information and privacy commissioner, as we mentioned, a very key component of this legislation and the private sector legislation was having what's known as independent oversight. It's someone that an individual can go to, who is an interested party that can look into the issues on your behalf.

The act sets out the powers and the responsibilities of the commissioner. Some key points would be that the commissioner's office can conduct investigations and issue orders. They can comment on access and privacy issues. They can authorize public bodies to disregard requests. The commissioner can delegate some of the powers. Important to this legislation and PIPA is the commissioner's responsibilities to provide the public with information about the legislation.

Part 5 addresses in some detail, because it is defining a quasi-judicial process, how that works. We don't need to go into a lot of detail on that unless you have questions about it, but essentially what it does is set out the commissioner's inquiry powers, set out an individual's ability to ask for a review and set out a process to set up an adjudicator. This may come up in some of the submissions you get or some of the hearings you hold.

An adjudicator is actually a concept in the statute that unfortunately has been very much misunderstood. It was put in for a very specific and limited purpose. That is, because B.C. is the only jurisdiction that actually has officers of the Legislature covered in part, what you needed to have was some ability for a member of the public — if they asked for records of the ombudsman's and the ombudsman's office responded so that the ombudsman would be in this role as a head of a public body, not in his or her ombudsman's role, and they said, "No, you're not entitled to that information" — to have some place to go if they didn't agree with a decision.

The adjudicator is set up specifically just to address that. It is for those very limited instances where you've got a request to an officer of the Legislature and you need someone to go to, to provide an adjudicative function. Some people have thought that the adjudicator was a place you go to if you don't like the decision of a commissioner with respect to your complaint. It is not intended to deal with that. There are very limited grounds of judicial review on a commissioner's order, but it normally focuses on errors of law or if the commissioner exceeds jurisdiction. But if you don't like the answer, this doesn't provide a mechanism to get another opinion.

T. Christensen: Does the adjudicator have a role just with respect to the information and privacy commissioner's office or with any legislative officer's office?

C. Norman: Yes. Thank you for that. It's just the FOI commissioner. He would review other officers.

General provisions. Some of these we've touched on already. There is a requirement for ministries to use the personal information directory. As I indicated at the outset, we're the only jurisdiction that has that directory. There's also a requirement for ministries to conduct privacy impact assessment. That's also an area where B.C. leads. No other jurisdiction requires ministries to do privacy impact assessments. That's for impending legislation, for systems development or for any kind of major business or service initiative. There are issues around access to the policy manuals and routinely available records. There's power to make regulations.

There's direction around fees, the kinds of things that can be charged for. I think it's significant that not only does the act prescribe those things you can charge fees for, which do not relate in many respects to where the real burden or real cost of administering FOI requests relate…. For example, a ministry is not allowed to charge for the time it takes to review and sever a record, which in many instances is what takes a lot of the time. A ministry cannot charge for searching for a record unless it takes them over three hours to find that record.

Also significant with respect to that is a schedule of fees that says: "Okay, for those things you can charge for, here's the maximum charge." That schedule has not changed since the act was proclaimed, so the same fees that applied at the outset still apply today. It's still 25 cents a page for copying materials — that kind of thing.

Then we added in the requirement for a special committee to review the statute every six years. That was in response to some of the kinds of things that came up in the earlier review. I'll let Sharon address the first special committee review, and we'll step fairly quickly through that to allow you to ask other kinds of questions at the end if you have any. This in many

ways is background for you, and I'm sure there is a lot of material you have that demonstrated that review.

Sharon is going to also speak to you briefly about some of the amendments we did in the last two sessions, in large part based on some of the recommendations of your predecessor committee, and talk about the impact. I'll talk very briefly at the end about PIPA, and then we'll certainly try to provide you with the opportunity to ask further questions.

S. Plater: Okay. As you are probably aware, the first special committee that reviewed the act did so in 1997. It was initiated in 1997, and it was a requirement of the legislation. They had to review the act, and they issued a report in 1999. They had meetings around the province. There were over 170 submissions, including ones from the information and privacy commissioner and one corporate submission which was issued on behalf of government and was prepared by the corporate privacy and information access branch.

The committee reported out that in general they found the act was working well. However, they did make 26 recommendations, 14 of which were for amendments to the act and 12 of which were for no change. In other words, they had received suggestions to change it, and they came back and said: "No, that can remain the same." These recommendations were sent to government and reviewed by government. A number of them were included in the first set of amendments that was done on the act in the spring of 2002.

The actual amendment process began with a letter from the Premier instructing the Minister of Management Services to conduct a review of the act to increase openness of government and to reduce compliance costs. This was conducted in two phases, which resulted in two sets of amendments. There were 19 amendments done in the spring of 2002, and those responded to the recommendations of the first special committee. There was one amendment done in the fall of 2002, which was an amendment to section 12 of the legislation to clarify the meaning of a committee under the legislative system so that the deliberations of the executive committee could be ensured to be kept confidential.

S. Plater: Cabinet committee. The 19 amendments were passed in the spring of 2003, and that was a further set of amendments flowing out of the review requested by the Premier.

In addition, we made changes to the coverage of the act, so in March 2000 there were 97 new public bodies added to the legislation. On February 26, 2003, there were 19 additional public bodies. Now, because of an amendment we made in 2003, we don't need to add public bodies in such a formal way anymore. Public bodies can be either added through their own legislation — so if there's legislation coming out that's creating new public bodies, they can simply add it through that means — or they can ask for a ministerial regulation. We put through two or three at a time, whenever we get a group of them. They go through a much less formal process at this point.

The amendments in the spring and fall…. Basically, this is just a brief summary. There are more detailed lists of the amendments, but it permitted new public bodies, as I said, to automatically be added under the coverage of the act. It established the personal information directory, which Chris has already referred to. It provided mechanisms to help public bodies process requests more efficiently, so they could be responded to in a timelier manner and more cost-effectively.

It strengthened the commissioner's capacity to deem some requests as inappropriate, therefore freeing up resources to deal with other requests. It established the requirement, as Chris has indicated, for legislative review every six years. It clarified the meaning of cabinet committees to ensure, as I said, that the deliberations of the executive committee were adequately protected.

In the spring of 2003 a lot of these were housekeeping amendments, so a lot of them were very small — to remove public bodies that were listed in there and that didn't need to be any longer, etc. — but it did increase the consistency of collection, use and disclosure provisions as they apply to personal information held by contractors. The way the original legislation was worded, it was very clear under the collection provisions that it did apply to contractors, but it was less clear under the use, disclosure, security and retention provisions that it applied to contractors. This was clarified to ensure that all aspects of the fair information practices applied to contractors.

It increased privacy by ensuring that researchers cannot collect personal information from public bodies for the sole purpose of contacting potential subjects.

The privacy commissioner was able to delegate the review of law enforcement information to his staff. This was one area where he had to review all requests that came in to his office himself, and it was fairly onerous. We now have set up a provision whereby he can delegate those reviews to his staff unless there is a specific request from the Ministry of Attorney General or a police chief to have only him review it.

It clarified that notification to an individual is not required when the information is being collected from another source. Originally, people were thinking that if they were, say, conducting an investigation and were able to go and get the information from another source, they still had to notify the people they were in fact collecting it from somewhere else, which would defeat the entire purpose. Basically, what we've clarified now is that if you are able under the legislation to collect it from another source, you do not need to notify the individual it's about that the collection is going forward.

We removed one phrase to more adequately represent the commissioner's reporting relationship with the Legislative Assembly.

The impact of these amendments was to improve the access and privacy provisions, reduce compliance costs and address any unintended consequences of the original wording. As I said, there were some bodies that no longer needed to be there, and there were some words that were duplicated — little things like that. It positioned B.C. to lead Canadian jurisdictions in e-government initiatives and permits better realization of the original intent of the legislation.

C. Norman: Just to briefly sum up, in the fall session, passing on October 6 and receiving royal assent on October 23, B.C. passed the Personal Information Protection Act. Quebec has had such legislation in place for over ten years, but B.C. is really the first province to take that step, certainly since the federal government statute was in place.

Most of you probably know that the federal statute had indicated to provinces that if they did not do their own legislation within a certain period of time, the federal act would cover it. I think there was a fairly strong view supported very much by stakeholders that the provincial act would be a better regime for them. Also of significance is the very, very close partnership B.C. had with Alberta in the development of this legislation, even to the extent that we actually shared a drafter a large part of the way through the development of these statutes.

My understanding is that Alberta's statute also received initial reading in their spring session and is due to be passed in the next few weeks or brought forward for passage in the next couple of weeks in Alberta. Ontario is looking at B.C.'s statute as a model, and certainly their commissioner is proposing it as a model for an Ontario statute. It is very similar to the Freedom of Information and Protection of Privacy Act.

Some see the private sector act as having a different kind of standard. I think that may be a little overstated, but you may get some making representation to you to say, "We like the standard in the PIPA," or "We like the regime in PIPA," and so there may be some suggestion there. Certainly, in the private sector the statutes tend to be more consent-based than would necessarily be possible within a public sector setting, so you may hear some of that.

The last thing we wanted to relate to you was that government corporately, certainly the ministries, are in the process of preparing a corporate submission. Sharon's branch will be leading the process of holding meetings and gathering input. We get input fairly regularly from ministries and other public bodies to say: "We're having this particular experience. Can you help us either figure out what the issue is or identify if in fact this is a problem with the legislation in a more substantive way?"

We collect that over time, and some of the two sets of amendments recently completed reflected some of that input over time. The intention would be that we would come back to this committee with a corporate submission on behalf of government and would request permission to do that later in your process.

Sharon would very much want me to point out the website. I think it's generally recognized and, hopefully, would be seen as a very useful tool for you. It not only provides a lot of clarifying information and support material for the Freedom of Information and Protection of Privacy Act, but I think you might find interesting, as a contextual basis and a parallel to it, the kinds of tools that are being made available to support the private sector organizations as they try to prepare for their coverage by January 1, 2004.

Thank you very much for the opportunity to address you. I'm happy to try to answer any questions.

S. Plater: I wanted to mention that in your package there are the two cover sheets from the website, just to give you an idea of what it is. One is the entrance sheet, and the other is more specific.

B. Lekstrom (Chair): Well, Chris and Sharon, I want to thank you very much. It is a very in-depth piece of legislation and one that for the most part, I think, most British Columbians don't pay a lot of attention to until they actually need to utilize it. I want to thank you. I think your overview was very clear and precise. It has availed us of an opportunity to learn, and that is the job of this committee: to learn, listen and see if there's a way to improve this piece of legislation.

I note there are a couple of questions. I will begin with Barry and then move to Sheila.

I note that in the act there are a number of provisions that make it discretionary whether government releases certain types of information, exceptions being around disclosure that might be harmful to law enforcement or public safety. Do you keep track of the types of requests that you get and, specifically, the number of exemptions by category that are granted?

B. Penner: Is that information available on your website, or do we have to submit an application to receive it?

C. Norman: We can provide the committee with some statistical cuts at the information. Ministries in the corporate tracking system do log their requests, and they will log the application of exceptions within that, so there is the ability to provide that kind of reporting.

B. Penner: For example, you have on one of the pages of this PowerPoint, section 13 and section 14, different types of discretionary disclosures. You would be able to provide information about the number of requests received by category and the results of those requests — whether they're denied or accepted?

S. Plater: We would be able to provide you with the requests received per year, per month or over the past ten years — what ministers received them, whether the requests were for personal or general information and in a lot of cases the actual exceptions that were used. It depends a lot on what the ministries have entered into the request tracking system, but we certainly can break it down into those categories.

S. Orr: I'm sorry, I had to duck out for half an hour. This might have been covered.

We are the only province that, within the scope of our act, is bringing in self-governing institutions. We're the only province that does that. Was that question asked? I question why we're the only province that does that and why we're doing it.

C. Norman: The instruction we were given at the time of the development of the act was to be the most open and strongest on privacy protection in Canada. One part of that exercise was to look at the scope of the most open jurisdiction existing at that time, which was Ontario. Certainly, part of that discussion was saying: "Okay, if they have carved their universe in this particular way, what grounds might we have to go further, and what would some of those areas be, and what would be the impacts of doing that?"

As I mentioned earlier, for example, Ontario didn't cover universities. There really wasn't any good reason why they didn't cover universities that we could find, so the decision was made to cover those. In fact, in many of the instances, in some of the policy discussions we actually had a kind of continuum where we laid it out and said: "The most open jurisdiction is here. What would be the pros and cons of that?"

Self-governing professions were discussed. I understand it was believed that because they play a self-regulating role — as I remember it was put — if they weren't performing that role, government would likely be performing that regulatory role. They were seen as doing that on proxy of government. In many instances it was statutory authority for that regulatory function. Certainly, we got a lot of input from advocacy groups indicating that there was a high level of concern, say, around what the Law Society might do to dispense with particular issues that might come to their attention.

I did mention at the outset, too, that one of the interesting benefits of the reach of the Freedom of Information and Protection of Privacy Act in the development of the private sector statute was because B.C. had gone so far in its coverage…. For example, when we went to the College of Physicians and Surgeons, they had indicated to us that because of their coverage and their role, they had put into place very embracive kinds of guidelines and requirements for their constituent bodies. The Personal Information Protection Act — they would have already been managing well within the parameters of that kind of statute. To some extent it made B.C.'s exercise a simpler one than, say, in Alberta, where they hadn't covered self-governing professions under their public sector act. There was a fair bit of discussion around the appropriateness of doing that.

S. Plater: I think the other thing, too, was the recognition that the self-governing professions — particularly the larger ones like the College of Teachers, the College of Physicians or the Law Society — do hold a lot of personal information, both about complainants and about their members, and that there needed to be some protections for that information but also some rights of access.

T. Christensen: Can you provide us with a list of the recommendations from the last committee's report and whether they've been implemented?

B. Lekstrom (Chair): I could possibly answer that. We will circulate the full report with the recommendations, and it will be dealt with.

S. Plater: We can give you a list of the ones that have been implemented as well as the ones that weren't.

T. Christensen: That would be helpful. Then just a second question. I'm intrigued by this personal information directory and the fact that we're the only ones that appear to have it. Can you just expand a bit more on what it is and what it means to me as an individual British Columbian?

C. Norman: There was originally a requirement for something called a directory of records. You probably remember. That was in large part oriented toward kind of providing a long, massive list of government records that existed. That was produced once at considerable cost, and unfortunately it was virtually out of date the day it was put out. As we've discovered, no one was using it because what ended up happening was that people would just go to a ministry, and they'd open this massive book. Records managers helped us to compile it, so it was listed by record series and things. People were kind of going: "I don't understand." They weren't using that part of it.

What we did realize was that there was a considerable amount of interest in government's personal information practices, particularly as we moved more toward on-line kinds of services. We proposed, and it was accepted and passed, that we would publish a personal information directory. That directory is an on-line publication that lists all of the personal information banks of government. It's a registry, in that way, of all personal information banks held by ministries. It

lists all privacy impact assessments that are done. It lists them out, and then you can go and pursue them further if you wish. It also provides a registry of all information-sharing agreements. What it really provided was, to some extent, a one-stop window that allowed the public to have confidence in the government's personal information practices. You could view it and then get access to information about those.

T. Christensen: In theory I could go in, look at the list of opportunities for different ministries to collect personal information, figure out which ones I had provided my personal information to, and then see who they had information-sharing agreements with. I could, in theory, trace where my personal information may have gone within government. Is that relatively accurate?

S. Plater: You could if you wanted that level of analysis. If you look up a privacy impact assessment, for instance, it will tell you who the parties were that the information was shared with, what the type of information was that was shared. The privacy impact assessment will, if they were doing it on a particular information-sharing agreement, give you that. It gives you a contact person that you could go to, to get further information. It tells you, under information-sharing agreements, whether a privacy impact assessment was done on this.

It gives you a little history and enough details that if you wanted to do the kind of analysis you're talking about, you could follow it through. Basically, it allows you to locate where the personal information is and what they have been doing with it.

Tom, I apologize. I think I misinterpreted your question. I think it would be helpful if the recommendations contained in the 1999 document…. If we could get even a one-pager saying, "Here are the recommendations; here's the point they're at today — implemented, not implemented and why," that would be….

I see no further questions at this time. Again, Sharon, Chris, I would like to thank you. If you would, pass our thanks on to Liz as well. It has been a very informative session here this morning, and I know that I myself, I'm sure, along all of my colleagues, can learn a great deal through the process we've been asked to take on here. Thank you very much.

B. Lekstrom (Chair): We do have a few moments remaining. We have a couple of things I would like to go over with the committee. There is the issue of input from the public, which I think is vitally important to this committee's work. We will have to put together a schedule to tour the province. Having looked at the previous tour and the number of people that attended, we will try and coordinate some type of schedule.

If it's acceptable, we do have a subcommittee of this committee which includes myself as Chair, Mike Hunter as Deputy Chair and Ms. MacPhail. We are a subcommittee to put together an agenda and a time frame. If that would be acceptable, we could do that and present it back to the committee for consideration. I think it would be important. Our commitment to the Legislature is to report out by no later than May of next year. That is one year from the date of the inception of this committee. I think we can meet those time lines.

I do have copies of the previous review for each member. I think it's certainly worthwhile going through when you read through the document. Having done that, I think the presentation here this morning was very informative. It ties things together quite nicely. Like anything else, if there's room to improve, it's our committee's job to look for those improvements, listen to the people and the ideas they bring forward, and see if we can incorporate those — if acceptable — into the report we will present back to the Legislative Assembly.

T. Christensen: Just thinking back in terms of the previous report, it looked like it took a couple of years to prepare. Maybe something the subcommittee wants to look at is why that took so long. I recognize that we're pretty confident we can do this by next May, but what might some of the hiccups be, given that it took so long before? I have no idea why it did. There may be lots of good reasons for that.

B. Lekstrom (Chair): We will check into that. I believe there was some interpretation that upon expiry of the first year, the second year reinitiated the committee and allowed the time frame to be extended. As Chair of the committee, when I look at the work we have to do on behalf of the people of British Columbia, I'm quite comfortable we can meet the May time frame. Again, certainly we will look into that, but I see no issues that jump out at me and say: "My goodness, we're not going to be able to meet the time frames here."

T. Christensen: Do you need a motion for the subcommittee to figure that out?

T. Christensen: I move that the subcommittee establish a time line and business plan for the committee's work.

B. Lekstrom (Chair): We will put that together and, hopefully, have that back to the committee members in the not too distant future. I would like to try and move this project ahead.

With that, is there any other business before I look for a motion to adjourn? I will look to members of the committee.

I see no further issues. I want to thank the committee members again. I think this is a great opportunity to learn a great deal about a piece of legislation that is very important to British Columbians in general.

Hansard Services publishes transcripts both in print and on the Internet. Chamber debates are broadcast on television and webcast on the Internet.

REPORT OF PROCEEDINGS (Hansard)

SPECIAL COMMITTEE TO REVIEW THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO REVIEW
THE FREEDOM OF INFORMATION AND
PROTECTION OF PRIVACY ACT