Public-sector record-keeping is currently a hot topic in Canada due to numerous scandals involving political staff deleting records, resulting in reports and recommendations by Information and Privacy Commissioners. And now, legislative action is being taken.
Ontario has new statutory obligations to safeguard records, and penalties for their willful destruction. The British Columbia government indicated it will be looking into a legislative duty to document decisions as part of the province’s review and potential overhaul of its access to information legislation. This type of duty has been talked about for years; however, no jurisdiction has implemented it. We may have reached a turning point.
Toughening record-keeping laws
On January 1, 2016, the Public Sector and MPP Accountability and Transparency Act (Ontario) came into force. This legislation amended several statutes. Importantly for public-sector privacy pros, the act amended the Freedom of Information and Protection of Privacy Act and Municipal Freedom and Protection of Privacy Act to impose new record-keeping obligations and offenses for breaching those provisions:
- Institutions must securely retain their records (FIPPA, s. 10.1; MFIPPA, s. 4.1)
- Institutions are prohibited from wilfully destroying records with an intent to impede access to those records under FIPPA or MFIPPA (FIPPA, s. 61(1)(c.1); MFIPPA, s. 48(1)(c.1).
- If convicted of willfully destroying records to impede access, an individual could be fined up to $5,000 (FIPPA, s. 61(2); MFIPPA, s. 48(2).
This legislation comes on the heels of a number of political controversies over document destruction. Last year closed with the Ontario Provincial Police announcing that it had charged the former premier’s chief of staff and deputy chief of staff with criminal offenses involving breach of trust, mischief in relation to data and misuse of a computer system to commit the offense of mischief. The offenses stem from allegations that documents relating to the cancellation of gas-fired power plants were destroyed.
Also closing out the year, David Loukidelis, former British Columbia Information and Privacy Commissioner, issued his report to the British Columbia government on how to implement recommendations that were made by Elizabeth Denham, the current Information and Privacy Commissioner following her investigation into the destruction of records by political staff. Commissioner Denham recommended, among other things, that the government “should legislate independent oversight of information management requirements, such as the destruction of records, including sanctions when those requirements are not met.” Loukidelis also recommends the government enact provisions to prohibit the willful destruction and to punish individual who do so.
Similarly, on January 7, 2016, the Alberta Information and Privacy Commissioner and the Alberta Public Interest Commissioner released the results of their joint investigation into allegations of improper destruction of records by Alberta Environment and Sustainable Resource Development during a transition of government following the provincial election. The commissioners raised concerns about whether proper security provisions are in place in Alberta to protect records from destruction. The commissioners have made a number of recommendations, including a recommendation for “appropriate sanctions for officials or departments found to have destroyed or handled records in contravention of the RM Regulation [Records Management Regulation], such as destroying records without authorization, applying records schedules inappropriately, or failing to create and maintain records that support business operations and evidence-based decision-making.”
We should expect to see continued pressure on governments to enact legislation to punish wilful destruction of records.
Ontario information and privacy commissioner issues guidelines
Recent guidance from the information and privacy commissioner of Ontario (IPC) sets out a number of expectations that the commissioner has for heads of institutions governed by FIPPA and MFIPPA in relation to the record-keeping amendments in bill 8. Institutions governed by FIPPA include a variety of public-sector and broader public-sector institutions. In addition to government ministries and crown corporations, this legislation applies to public hospital and universities. MFIPPA governs not only municipal governments but also municipal corporations, such as those involved in providing public housing and electricity distribution.
The IPC expects institutions to have a formal, documented records management program that includes consideration of the threats to the records from damage or destruction, including by fire, flooding and theft. The fact that an organization uses an off-site or third-party storage solution does not limit the organization’s ultimate responsibly for safeguarding records. Since records encompass data in all media, organizations must consider more than the safeguarding of paper records but must also ensure that records in all formats are protected. This may be challenging if the organization is used to using transitory media such as instant messaging or text messages. Nevertheless, the institution must capture these records and preserve them.
The IPC expects organizations to invest in training with respect to the records management plan and to audit compliance periodically. Auditing may be particularly helpful in detecting vulnerabilities to the institution’s document retention strategy. Auditing compliance may also deter the likelihood of willful destruction of records to evade the accessibility of records to access to information requests.
Recommendations to rethink transitory records
No information and privacy commissioner has suggested that institutions must keep everything. However, there have been calls to provide better guidance and training to staff regarding the retention and destruction of transitory records.
As former British Columbia Commissioner David Loukidelis has observed, “there is no value in retaining records that have no value.” Institutions must identify and be able to differentiate between transitory records and records that should be retained. This is not a simple task. However, it is clear that the form of the record does not determine whether it is a transitory record. The fact that the record is a text-message or an email that might be deleted, does not mean that the record is a transitory record. In his recent report to the British Columbia government, Loukidelis conducted a broad and thoughtful review of government records management policies and the history and theory underlying them. After comparing transitory records policies from a number of jurisdictions, Loukidelis described the characteristics of transitory records in terms of their functions. Transitory records have a short “shelf-life”; they are needed to support a routine action or to develop a subsequent record but they are not themselves required again. Another way of looking at transitory records is that they are not required to meet an institutional mandate, sustain the operations or administration of an institution or to provide evidence of an activity.
Similarly, in Ontario, the Government of Ontario Common Records Series – Transitory Records (2008) defines transitory records as follows:
Transitory records are records of temporary usefulness in any format or medium, created or received by a public body in carrying out its activities, having no ongoing value beyond an immediate and minor transaction or the preparation of a subsequent record. Transitory records are of such short-term value that they are not required to meet legal or fiscal obligations, initiate, sustain, evaluate or provide evidence of decision-making, administrative or operational activities.
Although transitory records may be destroyed routinely, institutions must preserve and disclose these records if they are the subject of an access request (such as under Ontario’s FIPPA or MFIPPA). In light of the amendments made by bill 8, a person who destroys records that exist at the time of the request (even if they could have been destroyed earlier) will commit an offence if the destruction is wilful and intended to avoid having to produce the records in response to the request. It would seem, therefore, that institutions need to have processes in place to implement something akin to a litigation hold when they receive access to information requests.
Duty to document picks up steam
Although the amendments introduced by bill 8 strengthen Ontario’s FIPPA and MFIPPA by imposing a positive duty to preserve records and to punish willful destruction of records, Ontario’s access to information legislation still does not contain a positive duty for institutions to document their decisions. Many information commissioners cite the lack of such a provision in access to information legislation as a concern.
In 2015, Suzanne Legault, the information commissioner for Canada, advised Parliament in her comprehensive report calling for the modernization of the Access to Information Act (Canada) that such a duty to document was necessary to thwart the increasing risks that records of decisions were not being made or that they were being made in transitory media such as instant messages. The federal information commissioner is not alone. In 2013, information commissioners from every province and territory called on the federal and provincial governments to enact a legislative duty to document. In 2014, the information commissioners repeated their request.
Governments, perhaps understandably, have been slow to introduce a legislative requirement to document decisions. Ontario is no exception and is certainly not alone. But the tide may be turning. Commissioner Denham in her report in October 2015 recommended a duty to document in British Columbia. In response to the report by Loukidelis, the British Columbia government stated that the “Government agrees with Mr. Loukidelis’s recommendations to study and consider the establishment of duty to document, which is currently under review by the Special Committee to Review the Freedom of Information and Protection of Privacy Act.”
With a new federal government elected on a platform of greater transparency and a review of British Columbia’s access to information legislation in the works, we may be witnessing the beginnings of a new era of modernization for Canadian access to information. We can hope, can’t we?