ETHI Committee Report

39th Parliament, 1st Session

Standing Committee on
Access to Information, Privacy and Ethics

has the honour to present its

SECOND REPORT

Pursuant to its mandate under Standing Order 108(2), the Committee has studied the Alleged Disclosure of the Names of Access to Information Requesters.

In September of this year, newspaper articles alleged that the name of a journalist who was seeking access to information in relation to public security issues had been illegally leaked to a number of officials across government as well as exempt staff in the office of the Minister of Public Safety and the Prime Minister’s Office. In response to these reports, this Committee, on 27 September 2006, agreed to “investigate and report on issues related to the alleged disclosure of the names of access to information applicants to political staff of the current and previous governments.” The Committee held a series of hearings with witnesses who are knowledgeable in this area, including officials from the Treasury Board Secretariat and the Offices of the Privacy Commissioner and Information Commissioner. The Committee sought to gain an understanding of whether such disclosures are common practice, and the extent to which measures are in place to prevent these occurrences.

LEGAL PROTECTION OF THE NAMES OF ACCESS REQUESTERS

Those who avail themselves of their right to request government information under the Access to Information Act (ATIA) are entitled to do so while maintaining the privacy of their personal information, including their identities. The importance of preserving the anonymity of the access to information requester was underlined in the Supreme Court of Canada judgement Canada (Information Commissioner) v. Canada (Commissioner of the Royal Canadian Mounted Police). ^[1] Justice Gonthier said in that judgement:

Section 4(1) of the Access Act provides that every Canadian citizen and permanent resident “has a right to and shall, on request, be given access to any record under the control of a government institution.” This right is not qualified; the Access Act does not confer on the heads of government institutions the power to take into account the identity of the applicant or the purposes underlying a request. In short, it is not open to the RCMP Commissioner to refuse disclosure on the grounds that disclosing the information, in this instance, will not promote accountability; the Access Act makes this information equally available to each member of the public because it is thought that the availability of such information, as a general matter, is necessary to ensure the accountability of the state and to promote the capacity of the citizenry to participate in decision-making processes. (Paragraph 32)

Interestingly, the legal prohibition against the release of requester names lies in the federal Privacy Act and not the Access to Information Act. The Privacy Act imposes fair information obligations on the federal government in terms of how it collects, maintains, uses and discloses personal information under its control. The name of an access to information requester is considered personal information for the purposes of the Act, and as such, it cannot, without the consent of the individual, be used or disclosed by the government except for the purpose for which it was obtained or compiled or for a use consistent with that purpose. ^[2] The Act does, however, set out a limited number of instances in which disclosure might be permissible without the consent of the person making the request: for instance where it is in the public interest, or to an investigative body specified by the regulations or for the purpose of complying with a subpoena or warrant. ^[3]

While the Access to Information Act is silent with respect to the disclosure of the name of a requester, the Treasury Board, which has general responsibility for co-ordinating implementation of the Act, has issued guidelines to all departments in this regard. Specifically, these guidelines affirm that the name of an individual who has requested information under the ATIA is considered personal information for the purposes of the Privacy Act and that, consistent with that Act, it may be appropriate in some circumstances to disclose the identity of a requester to a departmental official, which could include the Minister (as head of the department), but only for a purpose consistent with processing the request.

In his appearance before the Committee, the Deputy Information Commissioner, Alan Leadbeater, stated that successive Information Commissioners, government training programs, as well as the 2002 Access to Information Review Task Force, have all re-iterated that requester anonymity is imperative for ensuring impartiality in the processing of access requests.

WHAT WE WERE TOLD

Nearly all of our witnesses’ information tended to be anecdotal in nature, and for the most part, no documentary evidence was introduced to support our witnesses’ allegations. The Committee was told by a number of witnesses that releasing the names of access requesters to Minister’s offices is a common occurrence. For example, Col. Michel Drapeau and Mr. Ken Rubin, both frequent users of the access to information system, alleged that the names of access to information requesters are routinely disclosed to political staff and indeed to other government officials in contravention of the law. According to Ken Rubin:

On October 5, 2006, after a long-standing complaint to the Information Commissioner, I received from Canada Border Services a memorandum, previously totally secret, dated January 27, 2004. …. The memo was drafted for the then public safety minister, Anne McLellan, but CBSA officials, in the October 5, 2006 letter to me, say the memo in question was never conveyed to the minister or her office, at least in written form. My name was brought up in that memo, being criticized as one who had applied for data on the secretive air risk scoring system. (Meeting 10).

We did, however, learn about two specific cases reported by the Information Commissioner in his annual reports. In 1999, the Commissioner investigated an allegation of improper disclosure of access requester identities to the special assistant to the Minister of National Defence. The Commissioner found that the special assistant did have access to the names and identities of all requesters and that, on occasion, he informed members of the Minister’s office of these identities. On the basis of the prohibitions contained in the Privacy Act, the Information Commissioner concluded that the disclosure of requesters’ names should be limited to those who need to know this information in order to respond to access requests. Use of a requester’s identity to prepare the Minister for questions about an impending release of information was not considered to be a consistent use of this information pursuant to section 8 of the Privacy Act. ^[4]

Mr. Leadbeater, in his appearance before the Committee, drew our attention to a case cited in the 2001-2002 annual report of the Information Commissioner. ^[5] The case involved the disclosure of a requester’s identity to a deputy minister who subsequently sent a letter to the requester seeking to determine why information was being gathered about him. Although this was a case involving disclosure to a public official as opposed to political staff, Mr. Leadbeater presented it as an illustration of some of the adverse consequences that can result from an improper disclosure. He said:

We have seen the effects of unnecessary disclosure of requester identity. One is retribution, such as loss of contracts by businesses, loss of access to the Prime Minister’s aircraft by journalists, or career retaliation against employees. We have seen threats and bullying — for example, senior officials communicating directly to the access requesters their displeasure at being the targets of access requests. We have seen discriminatory treatment of the access request itself by it being improperly delayed, subjected to inflated fee estimates and 100% deposit demands, refusals of fee waivers, and overly broad application of exemptions to deny access. (Meeting 8)

Mr. Leadbeater also pointed out to the Committee that while his office has received other concerns about identities being disclosed, he is prohibited from making these cases public unless the individual involved consents.

For its part, the Office of the Privacy Commissioner furnished us with information indicating that since 1990, the office has received 13 complaints from individuals alleging that their identities as ATIA requesters were disclosed. Of those 13 complaints, 6 were determined to be well-founded (meaning that a contravention of the Privacy Act had occurred) and six were not well-founded (meaning that there was no contravention of the Act). The complaint involving the subject matter that gave rise to our study is currently under investigation and, as such, is confidential at this time.

With respect to the case of the release of journalist Jim Bronskill’s name, in an e-mail summary of a conference call between officials on communications issues, we heard testimony from officials in the Office of the Assistant Secretary to the Cabinet (Communications and Consultations), Privy Council Office. Specifically, Mr. Gregory Jack, the author of the e-mail in question, stated that the disclosure of Mr. Bronskill’s name was based on the reporter’s well documented interest in the issue at hand and that it was in no way based on information received from the Access to Information Office at PCO or any access to information officer about the identity of the requester. Indeed, the email in question, dated 15 March 2006, states under the heading “PSEPC”: “Noted there will shortly be another Bronskill/CIA Planes article, as new ATIP info is going out from PSEP. The info essentially reiterates that normal procedures were followed and nothing abnormal was discovered.” Providing more context for that email, Mr. Jack told the Committee:

On the second matter, I would like to provide you with some specific background on the call summary dated March 15, 2006, in which the issue of alleged CIA overflights was mentioned. Mr. Jim Bronskill of the Canadian Press had written numerous stories about this issue, beginning in November 2005. In fact, he was one of very few journalists in Canada writing about this issue on a regular basis, and was certainly writing about it with the greatest frequency. In fact, when the issue of the summary first arose in the media, our quick check showed that he had written about eight to ten stories between November 2005 and February 2006. During that time period, he had even called me personally on this subject, as I was spokesperson at the time for the Privy Council Office. During the March 15 conference call when Public Safety and Emergency Preparedness noted that they would shortly be releasing an access to information request on the issue of alleged CIA overflights, it was assumed that Mr. Bronskill could be writing a story on the issue. It was this assumption that was reflected in the communications summary. The assumption was based on the reporter’s well-documented interest in the issue and was in no way based on any information received from the access to information office at PCO or anyone else about the identity of the requester. Again, I have never been, and I am not now, privy to the names of requesters.

A BROADER CONCERN

A number of our witnesses argued that the concern about protecting the identities of requesters is broader than the statutory privacy protections prohibiting the release of their names. The categorization of access requests within departments, for statistical or other purposes, can lead to information circulating within those departments that allows officials to guess the identities of requesters and result in unequal treatment of particularly sensitive requests. Witnesses expressed concern that the identities of requesters are being circulated among departmental officials, and whether this is due to the categorization of requesters, or because officials can make educated guesses about requesters based on the subject matter of requests, several of the witnesses recommended that such outcomes are to be avoided.

Professor Alasdair Roberts argued that the methods currently being used within the federal government to administer the ATIA threaten important rights of Canadians: the right to equal treatment under the law; and the right to privacy. Departments use case management software, also known as tracking software, to manage the inflow of access to information requests. This software allows departments to classify incoming requests by the occupation of the requester. There is also a government-wide data base known as CAIRS — the computerized access to information system — which allows central agencies to monitor what is coming into the system and to coordinate responses. According to Professor Roberts, categorization facilitates differentiation between requests:

Major departments also have routines for identifying and handling politically sensitive requests. The bureaucratic routines are often well developed and rely on the capabilities of the departmental tracking software. Incoming requests are assessed according to political risk and labelled within the departmental data base. The labels vary among departments. Requests may be amber-lighted or coded as red files or purple folders or sometimes as interesting requests. It appears that requests from journalists, opposition MPs and party researchers are routinely tagged in this way. The process of tagging appears typically to be undertaken after a regular consultation with ministerial and communications staff. Lists of incoming requests from journalists and opposition parties are regularly generated from the departmental data bases and circulated within departments as part of this tagging process. (Meeting 11)

The value of requester anonymity does not, therefore, lie solely in the protection of requesters from potential harm resulting from the release of their names, although many requesters would seek that protection, but also in ensuring impartiality in the processing of access requests. It has been argued that categorizing requesters allows departments to treat politically sensitive requests differently, including more slowly, than others. David Gollob of the Canadian Newspaper Association testified that media requests, in particular, are singled out for special treatment. In fact, the Newspaper Association has lodged a complaint with the Information Commissioner alleging that, on a systematic basis, requests from the media are getting prejudicial treatment by being answered more slowly and in a less forthcoming manner than other requests. ^[6] The matter is currently under investigation by the Office of the Information Commissioner.

Mr. Leadbeater, in his appearance, did acknowledge that often departments have a legitimate need to coordinate a communications strategy in response to information that is released as the result of a “sensitive” access to information request. This legitimate practice can only continue, however, without delays in the process, and without potentially infringing the requester’s privacy rights:

We have no objection to government communications functions or ministerial staff knowing what information is going to be released under the access to information so that they can be prepared with house cards and Qs and As and so forth, as long as the process of doing that does not prejudice the requester by either delaying the answer going out or by changing the amount of censoring that’s in the document and so forth. That process, I think, can flow without there being any exchange of identities — and some departments do it very well. (Meeting 8)

We heard from several witnesses that the categorization of access requests could threaten access requesters’ rights to equal access and privacy. As well, there is a risk in some cases that categorization may allow officials to guess the actual identities of some requesters. In contrast, we heard little evidence on the purposes or benefits of the process of tracking categories of requesters. Witnesses generally agreed that departments need to coordinate their communication responses to some access to information requests, but concurred with the Deputy Information Commissioner that the process should relate to the content of the outgoing information, and not to the identity or type of requester asking for the information. In terms of how this issue should be addressed, Professor Roberts offered the following specific recommendations:

The first is discontinuance of the practice of circulating the occupational categories for requests within and among departments. The second is a requirement that departments publish, perhaps on their website, the internal procedures that are used to process requests. The third might be a requirement that departments notify requestors if their requests have been tagged for special handling. The fourth would be explicit recognition of the role of access coordinators within the Access to Information Act so that they are better positioned to defend the law. And finally, reform to the funding of the Office of the Information Commissioner so that it has the resources to act quickly against cases of excessive delay and investigate systemic discrimination against certain types of requestors. (Meeting 11)

This Committee has long been interested in the modernization of the Access to Information Act, and in September of this year, adopted its first report of the 39th Parliament, on the subject of access to information reform. That report recommended that the Government “introduce in the House, no later than December 15, 2006, new strengthened and modernized access to information legislation based on the Information Commissioner’s work.” The report was tabled in the House of Commons on 4 October 2006, and the Committee awaits the Government’s response to it.

CONCLUSION

This Committee is in agreement that violations of the Access to Information Act or the Privacy Act must not be tolerated. The access and privacy rights of Canadians must be promoted and protected. The specific event which gave rise to the Committee’s concern about the possible release of the name of an access requester is appropriately under investigation by the Privacy Commissioner of Canada. However, based on the testimony that was given to us, we cannot conclude that there was a violation or breach of the law.

This study brought to light certain practices related to the implementation of the Access to Information Act that are of concern both to our witnesses and to the Members of this Committee. In order to ensure that the broader issues of requester categorization and tracking are addressed, we recommend that the Minister of Justice, when drafting amendments to the Access to Information Act, take into consideration the concerns that we heard about the practice of categorizing and tracking the identities of access to information requesters within government departments, and include in a draft bill measures under the ATIA to protect the identity of all access requesters.