A Potpourri of Access Orders: Practical Guidance in Responding to Access Requests
The Alberta Office of the Information and Privacy Commissioner has recently released several Orders relating to access to personal information pursuant to the Personal Information and Privacy Act (“PIPA”).
Access to information is not only relevant to public bodies subject to access to information legislation such as the Alberta Freedom of Information and Protection of Privacy Act (the “FOIP Act”) or federal Access to Information Act. It is also relevant to private sector companies, professional regulatory organizations, and certain non-profit organizations under PIPA, or under other similar private sector privacy legislation, as well as to health care providers and other custodians subject to legislation such as the Alberta Health Information Act (the “HIA”). What changes between these Acts is not the process for responding to access requests, but the scope of the information that an applicant can request.1
Under PIPA, an applicant can seek access to his or her own personal information (information “about” the applicant). Under the HIA, an applicant can seek access to his or her own health information (specific health information listed in the HIA or more generally, information collected about the applicant in the course of the provision of health services). Under the FOIP Act, a requester can seek access not only to his or her own personal information, but also to any records under the custody or control of the public body in question.
Recent PIPA Orders provide some practical guidance about responding to access requests:
- Don’t ignore an access request or review process. In Order P2012-13, the organization did not formally respond to the applicant in relation to the access request or make submissions in an inquiry regarding the failure to respond. The Adjudicator accepted the submissions of the applicant, and ruled against the organization. The organization was ordered not only to respond to the applicant, but also to conduct an adequate search for the records, and to provide a detailed explanation of various matters. An order issued by the Alberta Office of the Information and Privacy Commissioner under PIPA or under another Act may be filed with the clerk of the Court of Queen’s Bench and is enforceable as a judgment or court order.
- Do consider what constitutes personal information under PIPA (or health information under the HIA). The Adjudicator in Order P2012-09 found that the fact that records were located in the applicant’s personnel file did not necessarily mean that they contained personal information under PIPA. The organization provided access to records not containing the applicant’s personal information, such as blank forms and work product information, as well as records containing the personal information of third parties. The personal information of third parties must be redacted from any records provided to the applicant. The remaining nonresponsive information may be provided to the applicant outside of the operation of PIPA at the discretion of the organization, but won’t be relevant to the organization’s compliance with PIPA. Under the HIA, the custodian must provide only health information about the applicant (or health information and other information if the custodian is a hospital, nursing home or other public body also subject to the FOIP Act). Under the FOIP Act, there are no similar restrictions on the scope of information responsive to an access request.
- Don’t automatically refuse access because the applicant has a copy of the records. As confirmed in Order P2012-14, access to information in another forum or process (such as through litigation production) will not typically relieve an organization from having to provide access under PIPA or another Act.
- Do respond within the time limit. PIPA requires that a response be provided within 45 days (and similar time limits are included in other Acts). If no response is received within the time limit, this can be treated as a refusal to provide access.
- Do consider who to correspond with if the applicant has a legal representative. Order P2012-14 held that no appropriate response was provided to the applicant where the organization corresponded with the applicant’s legal counsel but the counsel was not representing the applicant with respect to the access request. It may have been reasonable for the organization to contact the applicant’s counsel to clarify to which party the organization should respond, but this should have been done before the expiry of the time limit. If the organization is aware that the applicant is making an access request independently of his or her representative and independently of another legal or administrative process, the response must be made to the applicant.
- Don’t respond to an access request by text message or other inappropriate means. An organization must respond to the applicant by indicating whether access to records will be provided. If any information is withheld, the organization must provide the reasons for this, the name of a person who can answer questions on the organization’s behalf, and that the applicant may ask for a review under the Act. In Order P2012-13, a response by text message indicating that no records would be provided was insufficient. This is a useful reminder that it would be difficult, if not impossible, to include all necessary information in a text message, voice message, or other similar short or informal means of communication.
Field Law’s Privacy + Data Management Group can assist with responding to access requests or other issues arising under privacy legislation.
1 Although a discussion of these matters is beyond the scope of this article, all of these Acts also contain specific exceptions to the
information that must be released in response to an access request, as well as provisions permitting the charging of fees.