:
Exactly. Information management is different from access to information, it turns out.
My name is Jim Alexander, and I'm the deputy chief information officer at Treasury Board Secretariat. I'm accompanied by Donald Lemieux, who's the executive director of information, privacy and security policy division. One of our colleagues, Charles Taillefer, will also be here momentarily.
[Translation]
On behalf of Treasury Board Secretariat, I would like to begin by thanking the Committee for this opportunity to discuss the policy role that Treasury Board Secretariat plays with respect to access to information and privacy across the Government of Canada, specifically as it relates to the issue of disclosing the names of applicants seeking information under the Access to Information Act.
[English]
As the lead department for access to information and privacy policies, Treasury Board Secretariat takes the right of access and the privacy of all Canadians very seriously. Canada's solid foundation of privacy laws and policies has made it a world leader in privacy protection for more than 25 years, and it has had effective privacy management practices in place for some time as well.
In fact, when issues or concerns arise, Treasury Board Secretariat is quick to respond. For example, following recent allegations that the name of a requester was improperly disclosed, the secretary of the Treasury Board immediately sent a notice to his colleagues reminding them of their responsibility to protect the identity of access to information requesters. A reminder was similarly sent to the access to information and privacy communities.
When a similar situation arose in 1999, Treasury Board Secretariat acted swiftly to issue an implementation report—which is the means by which TBS provides guidance to the access to information and privacy community, the ATIP community—to treat this information as personal information.
Since then, several mechanisms have been introduced to inform and educate the ATIP community on their roles, responsibilities, and best practices. This brings us to the issue this committee is currently studying: the disclosure of names of access to information requesters.
Although this is not specifically addressed in the current Access to Information Act, it's clear that the definition of personal information contained in the Privacy Act covers the names of individuals who file requests for information under either act. The Privacy Act sets out the rules that govern the collection, use, and disclosure of such personal information. The general principle with respect to the use and disclosure of personal information is that it should only be used or disclosed for the same purpose for which it was collected or a purpose consistent with it.
It's important to note that the policies issued by Treasury Board Secretariat support and enhance the Access to Information Act, the Privacy Act, and associated regulations, the broad overview of which falls under the responsibility of the Minister of Justice.
The legislative framework at hand includes those two acts: the Access to Information Act, which provides the general right of access to information that's held by the Government of Canada, and the Privacy Act, which provides Canadians with a right of access to their own personal information, as well as protection for their personal information that's held by the government. Both were proclaimed into force on July 1, 1983.
With respect to the Access to Information Act and the Privacy Act, Canada has two parliamentary officers, the Information Commissioner and the Privacy Commissioner. These agents of Parliament investigate complaints pertaining to the act and report to Parliament annually on their investigations and related activities.
The Privacy Commissioner is specifically mandated in law to perform audits to ensure that departments are handling personal information in accordance with the Privacy Act. Similarly, the Information Commissioner conducts regular evaluations to assess departmental compliance with the Access to Information Act.
Treasury Board Secretariat does not have an audit function with respect to monitoring the administration of the acts. For its part, TBS relies on annual reports and other departmental documents to monitor compliance with the policy. Beyond this, Treasury Board policy indicates that internal audit groups are responsible to examine the institution's success in meeting legal and policy requirements.
The President of the Treasury Board is the designated minister under the act who is responsible for issuing policies and guidelines governing the operation of both the Privacy Act and the Access to Information Act and associated regulations. Treasury Board Secretariat supports the president in this role by developing policies and guidelines and providing training to the access to information and privacy community.
From a policy perspective, TBS has issued the policy on privacy and data protection, the policy on privacy impact assessments, and the access to information policy. These policies apply to institutions that are covered by the legislation, which include 185 institutions under the Privacy Act and 180 institutions under the Access to Information Act.
[Translation]
In addition, these policies reinforce information management principles inherent in the Management of Government Information Policy and the Security Policy. They also support the objective of “duty to inform”, “routine disclosure” and “service to the public”, which are fundamental concepts within the Communications Policy.
From a training and development perspective, the Treasury Board Secretariat is the functional lead for training the ATIP community. Throughout the years, Treasury Board Secretariat has adopted different measures to help federal institutions adhere to the policies and standards issued regarding Access and Privacy
[English]
For example, TBS provides ongoing training to the access and privacy communities. We do this through a variety of means. We develop training material and host training sessions.
Last year we held a total of 26 different ATIP training sessions with a total of 404 registered participants. That is really a significant number of participants from the community, considering the relatively modest number of about 500 public servants who make up the ATIP community around the federal public service.
We hold regular community meetings, often in conjunction with the justice, access to information, and privacy communities. At those meetings we tend to share issues of interest and best practices and advise the community of any changes to the policies or practices.
We respond to calls and written requests from ATIP practitioners who have questions or concerns or who require assistance regarding training. An average of 50 calls and e-mails a month are received for advice and interpretation on ATIP policies and guidelines, and then we prepare and distribute guidance documents to the ATIP community.
Finally, we publish an annual info-source bulletin, which contains statistics of requests made under the Access to Information Act and the Privacy Act and summaries of Federal Court cases of relevance to the interpretations of the act.
While the secretariat plays an important role in providing guidance to the ATIP community in establishing policies and guidelines, it remains the case that the heads of institutions are ultimately responsible for the administration of the acts within their respective institutions.
[Translation]
Heads of Government institutions are responsible for ensuring that their organizations comply with Privacy and Access to Information legislation and with the Treasury Board policies and guidelines that support the legislation to ensure access to Government information and the protection of the privacy of Canadians.
[English]
This means that each institution is responsible for putting into place a process to respond to requests in a manner that is both consistent with the policy and complies, obviously, with the legislative requirements.
The responsibility for responding to ATIP requests within institutions is generally delegated to ATIP coordinators. Last year the government's access to information and privacy community processed approximately 25,000 access to information requests and approximately 36,000 privacy requests.
In summary, TBS is committed to access to information and to its principles of openness, transparency and accountability. The Access to Information Act is an important means for the public to obtain information on government operations and decision-making and a means through which Canadians can hold their government to account.
As you can appreciate, there is a balance to be struck between providing openness on one hand and ensuring the protection of legitimate concerns, such as personal privacy, on the other. The Government of Canada's policies and guidelines enhance the legislative framework to ensure this balance is respected.
I'm confident that we have the legislative framework, policy frameworks, and tools that we need to ensure departments, agencies, and crown corporations provide Canadians with effective access to government information while protecting their personal information.
Ultimately, the government's goal with respect to access to information and privacy is to ensure the continued accessibility of information to Canadian citizens and businesses while protecting the privacy of personal information that is shared with government. This is an issue that we take very seriously.
[Translation]
I can assure you that the Treasury Board Secretariat is committed to supporting the administration of the Access to Information Act and the Privacy Act. We will continue to provide all 180 departments, agencies and Crown corporations with guidance on related policy issues and arising issues and concerns.
[English]
Mr. Chairman, this brings me to the end of my statement. Mr. Lemieux and I would be very pleased to respond to questions from members of the committee relating to the government's access to information and privacy policies and guidelines and, in particular, the Treasury Board Secretariat's role in that regard.
Thank you for your attention.
:
I can start on some of that, and Donald will likely be able to come in on it as well.
If we look at the period from April 2004 to March 2005--that fiscal year--we had 25,000 requests that were received during that reporting period. We would track the number where all the information was disclosed, where it was disclosed in part, or where some of the information was excluded, and so on.
We'd also track the source of the requests, and I think Donald indicated that about half of the requests actually came from businesses.
We'd also look at which institutions did the bulk of the work. And it's interesting to note that well over one-third of all of the requests received in 2004-05 were processed by one organization--that being Citizenship and Immigration Canada. That was 35.8% of it.
Very clearly, the size of the access to information community within Citizenship and Immigration would be very substantial, even compared to the next largest, which was Canada Revenue Agency at only 7.4%. That would also indicate that regarding the nature of who was doing the access to information processing, where the ATIP staff were, it would probably be quite distributed among various sectors within something like Citizenship and Immigration, as opposed to some of the small organizations that would receive only one or two or three in a year.
We also have a sense as to the time required to complete requests, and close to two-thirds of them are done within zero to 30 days--61.7% are done within that timeframe.
In terms of the community itself, generally individuals would come into the community at a lower officer level, possibly even clerical, within an organization, working in that area. Then through a series of on-the-job training, experience, and the training courses that we offer or that are offered through other institutions like the Canada School, they would develop their competency and their experience and would, through a series of competitions, possibly end up as the ATIP coordinator for an institution. It's generally a pretty tight community.
And as you indicated, Mr. Chair, it's getting increasingly complex, so we're very much looking at the community management overall to make sure that as the complexity increases, as we consider adding more institutions that are subject to access to information, there's actually a cadre of well-trained professionals who can discharge their obligations under this.
:
In fact, it was very interesting to listen to those exchanges between the two parties that have held office in the last year, and who have therefore been in power and had ministers' offices with political staff. They both seemed to be saying that it was a well-established procedure for political staff to get together with officials to look at all the access to information requests. As far as I can recall, no one mentioned any names, but I will do my homework and re-read the record of those exchanges.
The fact remains that there seems to be a well-established practice, which neither one denied, involving an exchange of information about ATIP requests in order to determine who is doing what and how, identifying the different categories.
Also, you say that there are very few complaints. It's quite obvious that there aren't many. Personally, I have made access to information requests, but I have no way of knowing whether my name was disclosed. I have no way of knowing whether someone might have disclosed my name. So, it's obvious that there are not going to be many complaints, because people simply are not aware.
On the other hand, you say that you are aware of five cases out of 25,000. You may be right, but you only know about five. However, is it possible that there is a well-established practice that involves going through the most sensitive ATIP requests and simply disclosing the names -- in other words, the names are not necessarily the product of people's suppositions? In fact, I find this whole theory of people simply guessing or assuming that it's a particular person -- I wouldn't want to say far-fetched, I would never say that -- rather strange.
Is it possible that the practice of exchanging this information is well established, that there aren't many complaints because people don't know what's going on, and that you are only aware of five cases because this is a well-established practice and no one ever complains.
Finally, should I not file an access to information request to find out whether there are other e-mails similar to the ones Mr. Kenney tabled here, last week, before the Committee?
:
Thank you, Mr. Stanton.
Going back, if I may, to the guidelines that you have, and reading further than I did, because I don't want to leave any particular impressions necessarily, your guidelines say, “In some circumstances”--I say, in some circumstances, not all circumstances--“it is appropriate to disclose the identity of a requester to a departmental official for a consistent purpose such as...”. And then some examples are given.
Now, putting aside the minister, who is at the head of the department and presumably could know whatever the minister wants to know and is under secrecy and whatever, I'm concerned about the wording. It says “for a consistent purpose”. I looked at that and didn't quite figure out what “consistent purpose” means.
I looked at the French version. The French version says,
[Translation]
“for a consistent purpose”.
[English]
It makes sense to me, if you have a logical purpose for giving the information to the departmental official. I think “logical” makes more sense than “consistent” in the English term, and I'd suggest that you consider that.
But in any event, your guideline makes it clear, it would seem to me, that you just can't willy-nilly give the information or the name to a departmental official. It has to be for some logical purpose in following up the access to information request. And then you give some examples, but that's not exhaustive.
Am I more or less understanding the guideline correctly?
:
Mr. Chairman, I was listening to Mr. Martin earlier talk about some major soul searching being in order in relation to what we have just learned.
But when you look at the origins of the Access to Information Act, it seems to me that the goals were all focussed on transparency. The idea was for the Government to be more transparent and enhance public trust.
It's funny, but when I look at the examples, and specifically situations such as these, I have the feeling that we're actually dealing with the reverse situation. If the public were to find out what is going on, I'm not sure that their confidence would be greater; it seems to me it would decline.
We were also talking about the amber light process whereby, when ATIP requests are filed, all across Government there is an analysis of the requests that have been filed under the Access to Information Act. As a result, people look at them and prepare strategies for responding to them that, in a way, are specifically tied to the information request in a specific department, even though this is a process that normally occurs under any government.
By the way, I should mention that I drew my information from an article written by Mr. Allister Roberts, a university professor, and published in Public Ethics; he carried out a number of studies and filed access to information requests with a view to proving his assertions. At the Privy Council level, he says that the amber light process should not delay requests for answers. But in actual fact, based on his studies, the response time for ATIP requests is not always met. That is the case for 40 per cent of requests from political parties, for 38 per cent of requests from the media, and only 17 per cent of requests from other sources. It seems to me that this is fairly important information to look at as we try to determine why it is that ATIP requests from the media and political parties are delayed. Is it to allow time to develop an appropriate strategy or prevent the media from accessing the information too quickly?
That's my question. Are you aware of this?
Chair, I'd simply say that the anonymity of the applicant is a fundamental cornerstone of freedom of information laws. That has to be our starting point, the premise, the foundation of everything that we stand for and believe in, if we're fighting for the right to know and for freedom of information. What you've told us today changes everything.
I used to think I was somewhat of an authority on this issue, as I've been engaged in it for at least the last four or five years. But I didn't know that. To me, life as we know it will never be the same in the access to information community, as you put it.
In fact, I think as of this moment there's going to be a chill on freedom of information requests based on what we've learned at this meeting. This is devastating. We, as a committee, should be really concerned. It's shocking to me, because the retribution can go both ways too. It's not just the applicant who has to fear retribution; it's the access to information coordinator who may say no to a minister because he thinks it's morally or ethically repugnant to disclose the name of the applicant.I think we've opened up a real can of worms here.
I want to thank you for your testimony today and for your interpretation of it. In your presentation on page 6, you say, “Heads of government institutions are responsible for ensuring...” access to government information, etc. It never occurred to me for a minute that that goes all the way up to a minister's right to know who the applicant is.
I don't know if I even have a question, Mr. Chair, other than to say that I thought we were in for a dry, boring presentation, a statement of the status quo and the law as it stands, so we could all start with the same base-level information. In actual fact, our committee has a lot of work to do if that's the status quo. Freedom of information laws in this country are in tatters.