Who wants to read about FOI legislation? Yeah? Let’s do this!
Province by Gregory Beatty
Saskatchewan Education minister Don Morgan was lampooned recently when he defended his own government’s approach to funding education by trashing Roy Romanow’s 1993 NDP government. Leader-Post columnist and Twitter comedian Murray Mandryk had a field day, tweeting numerous nostalgic references to 1993 including: “Hey, @SaskMLA! Guess what? The Montreal Canadiens just won the Stanley Cup!” and “Hey, @SaskMLA! Think that Internet thing they are about to invent will catch on?”
Yes, 1993 was a long time ago.
As it happens, that was the year Saskatchewan passed its second piece of privacy legislation. The Local Authority Freedom of Information and Protection of Privacy Act (LAFOIP) followed the 1992 privacy and information act (FOIP) that covered the provincial government, Crown corporations and related agencies.
LAFOIP brought city councils, school boards and other local authorities into the privacy fold.
A third privacy act covering the health sector (HIPA) was passed in 2003. There’d been a lot of changes in the intervening 10 years, including the emergence of “that Internet thing”, so HIPA offered the government a chance to modernize its approach to privacy.
As for FOIP and LAFOIP, despite repeated pleadings by privacy commissioners, successive NDP and Saskatchewan Party governments declined to update them — until June 13, that is, when Justice minister Gordon Wyant introduced Bills 30 and 31 to amend FOIP and LAFOIP.
At a June 28 news conference presenting his 2015-16 annual report, Saskatchewan privacy commissioner Ronald Kruzeniski said he was pleased the government was updating the acts. “The first reason is because of the time since they were last amended, which is way too long for any legislation to not be looked at,” said Kruzeniski. “Secondly, we made proposals, and a good number, but not all, have shown up in the proposed amendments.”
Long Overdue
Maybe it’s a remnant of Saskatchewan’s old “party line” tradition where neighbours used to listen in on each other’s calls on shared phone lines, but as a province, our privacy and access to information track record is not good.
Even Premier Brad Wall’s office, if you recall, was implicated in a breach last summer when it released private information in an effort to discredit health-care worker Peter Bowden after he made allegations about poor care at a Saskatoon seniors’ home.
And in early July, SaskPower revealed that it had fired an employee who snooped on the files of over 4,000 current and former employees.
The employee’s motive, at this point, is unknown. But as technology continues to advance — permitting data crunching on a scale unimaginable a generation ago — information is becoming an increasingly valuable commodity.
Kruzeniski flagged several amendments as highlights in Bill 30 and 31, including a duty to assist.
“A public body has an obligation when an access request comes in to deal with it openly, accurately and completely,” he said. “Other provinces have this duty, and I’m pleased to see it’s there. My hope is that by public bodies communicating with those who request information that the issue gets solved so fewer people have to launch appeals with our office.”
In 2015-16, Kruzeniski noted in his report, the Office of the Saskatchewan Information and Privacy Commissioner (OIPC) handled 244 investigations. That’s up from 182 in 2014-15, and 77 in 2011-12. So privacy is obviously a growing concern.
The amendments also introduce a duty for public bodies to report any breaches that occur so the affected party can take protective action, and broaden the definition of “employee” to include consultants and contractors who work for public bodies on service contracts.
Considering how much outsourcing there is these days, that’s a no-brainer.
Police forces used to be exempt from the Act. Now? They’ll also be brought under LAFOIP as “local authorities”. And maximum penalties under both acts will be boosted from relative wrist slaps ($1,000 fine and three months in jail) to $50,000 and one year in jail.
Harsher penalties, said Kruzeniski, send a signal to public bodies about the need to take privacy seriously.
“On the other hand, the worry is if people get too fearful, then every time someone asks a question they might say, ‘I’m sorry, I can’t tell you. It’s private.’ When you look at [privacy], it’s a real balancing act as to when they can release information and when they can’t,” he said.
“And they really need to know when they can and can’t because that makes the system work.”
Hits And Misses
In the wake of the Bowden scandal, where OIPC determined a privacy breach occurred but that it had no jurisdiction because the legislative branch of government wasn’t subject to FOIP, the act will now apply to the premier’s office, cabinet and all MLAs.
Bill Bonner, an associate professor at the University of Regina’s Faculty of Business Administration, has an academic interest in privacy issues.
“I thought the proposals the commissioner submitted were well done,” he says. “I’m curious, though, why the government chose to implement some of them but not others.
“They had to do something around cabinet ministers, because after the Bowden case they said they would. It was good, too, that they added police forces to LAFOIP,” says Bonner.
But they left a whole bunch of proposals out, and I don’t understand why.”
One proposal the government failed to act on that caught Bowden’s eye was privacy impact assessments.
“That puts the onus on an organization when it’s proposing a system to assess what impact it will have on privacy and make adjustments to minimize the impact,” says Bonner. “It needs to be part of the planning process from day one. It’s cheaper for the organization that way too, because if you build it in, you don’t have to go back and fix it later as that always costs more.
“Another thing I thought they missed was the fee estimate review. If you go to a public body and they tell you how much it’s going to cost, there’s no way to appeal the estimate to the privacy commissioner if you think it’s too high. The commissioner proposed there be a review, so I don’t know why that wasn’t done.”
That issue was in the news recently when the government gave CBC an outrageous $120,000 cost estimate to provide documents on Global Transportation Hub land acquisitions in Regina.
As part of the same kerfuffle, the premier declined to reveal details of a high-ball appraisal that informed the final GTH purchase price on the grounds of protecting the appraiser’s privacy.
In his proposals, the privacy commissioner recommended a more nuanced approach to third-party exemptions. Unfortunately, says Bonner, the government failed to act.
“It can be used as a shield, but oftentimes the issue has nothing to do with privacy,” he says.
“[The appraisal] was a commercial transaction. Privacy legislation was only ever intended for private citizens not private companies. They have trade secrets and whatnot, but if the government paid for an appraisal that was used in their decision-making process, it’s public even though it was generated by a private company.”
Bonner also thought that the commissioner’s proposal to shorten response times on access requests from 30 to 20 days was reasonable in light of most documents being stored digitally these days instead of on paper. But the government kept the deadline at 30 days.
Slow SARM
In the Office of Information and Privacy Commissioner’s annual report, Saskatchewan privacy commissioner Ronald Kruzeniski noted that while his office had engaged with many towns and cities — both individually and through the Saskatchewan Urban Municipalities Association — they had made “no progress” with Saskatchewan’s 296 rural municipalities in the Saskatchewan Association of Rural Municipalities.
“If you have a long list of goals you don’t necessarily achieve them all,” Kruzeniski said. “Then for the following year you say, ‘I guess we have to try again.’
“If you look at Regina and Saskatoon, they have FOIP units that process access requests and they become very sophisticated. When you get into small villages and RMs, if they have part-time administrators, it’s hard to get as familiar with the legislation.
“The same rules apply, though, and while they may only be exposed to one request a year, they still have to handle it as far as providing the proper information and knowing when they can claim an exemption and when they can’t.
“A little more effort on our part to build connections and relationships, and a willingness on SARM’s part to collaborate, would certainly start moving this in the right direction.”
Other goals cited by Kruzeniski heading into 2016-17 include updating HIPA and developing training modules to give management and employees the skills they need to protect privacy in an increasingly menacing world of ransomware, identity theft and other cyber-threats.
That’s an important initiative, says the University of Regina’s Bill Bonner.
“You’ll find that most breaches occur because some internal employee left something open,” says Bonner. “It’s not because they’re evil, it’s just they have access to the system and what hackers want is access to someone who has access to the system.”
OIPC also advocates amalgamating FOIP and LAFOIP into a single piece of legislation, as most provinces have done, to clarify the law around privacy. Bonner supports that move, and would also like to see the government adopt OIPC’s proposal that privacy legislation be reviewed every five years to ensure it remains current.
While Bonner supports the Bill 30 and 31 amendments, he thinks a broader review of privacy is warranted.
“When the government said it was going to review the legislation, I thought it would gather input from citizens. Because of the blowup between Bowden and Wall, they had to do something, and they did the minimum. But I’m not surprised, because in this province it’s just not a priority.” /Gregory Beatty
