Privacy and Freedom of Information: What are a Municipality’s Obligations?

Technology is rapidly advancing and more and more people rely on it for daily activities – this has led to an exponential increase in the collection, use and disclosure of personal information. In addition, the ever-increasing online storage of personal information has made such information more vulnerable to illegal access and abuse. This has in turn made privacy rights and freedom of information more important than ever before.

Municipalities are tasked by the applicable legislation with balancing the complex dichotomy of being open and transparent with community members while maintaining a high standard of privacy protection. It is vitally important that municipalities understand and comply with their legal obligations surrounding both privacy and freedom of information (FOI).

As local public bodies, municipalities fall within provincial jurisdiction when it comes to the law of privacy and FOI.

The Freedom of Information and Protection of Privacy Act (FIPPA, or the “Act”) applies to all records in the custody or control of a public body in Manitoba. FIPPA was first enacted in 1998 and later amended in 2011. By the year 2000, this legislation applied to municipalities. The purpose of FIPPA is two-fold, with detailed provisions addressing both privacy rights and access to information requests.

FIPPA applies to all records in the custody or under the control of a public body (including a municipality), subject to certain exceptions.

Of particular note is that neither FIPPA’s privacy provisions nor its FOI provisions apply to personal health information. Manitoba’s Personal Health Information Act (PHIA) applies in each of these cases. Municipalities are considered trustees of personal health information and therefore must comply with PHIA.

PHIA provides individuals the right to access personal health information and the right to privacy of personal health information records. PHIA has detailed privacy provisions about the collection, use, disclosure, retention and destruction of personal health information, while the right to access information includes the right to examine, receive copies or request corrections of personal health information records.

Each municipality is required to designate an access and privacy coordinator, who will oversee that municipality’s privacy and FOI compliance program.

Dealing first with FIPPA’s privacy provisions, each municipality:

  • can only collect personal information for specific purposes, in limited amounts and by limited means;
  • is prohibited from using or disclosing personal information except as authorized by FIPPA;
  • can only use personal information to make a decision about an individual if the municipality has taken reasonable steps to ensure that the information is accurate and complete;
  • must, subject to a 30-day time limit, correct personal information if the individual requests it, or advise the individual why it is refusing to do so;
  • must have a personal information retention policy that complies with FIPPA; and
  • must protect personal information by making reasonable security arrangements against such risks as unauthorized access, use, disclosure or destruction.

Compliance with these obligations will require each municipality to have, at a minimum, robust privacy, data-breach and cybersecurity policies.

Municipalities must breathe life into these policies by ensuring that their employees receive appropriate privacy and security training. Privacy impact assessments are increasingly recommended or even required for some projects in which municipalities will collect, use or disclose personal information. Finally, conducting periodic audits or simulated data breach scenarios will provide municipalities with either the assurance that their privacy compliance program is functioning well or that it needs more focus and attention in certain areas.

Dealing with FOI, Manitoba’s Court of Queen’s Bench has stated that:

“Disclosure is the rule rather than the exception.[1] Thus, upon application, there is a right to access any record in the custody or under the control of a public body, subject to the exemptions outlined in the Act.”[2] [Emphasis added]

These exemptions are very important and very detailed, with some of them being mandatory (for example, to protect the privacy or business interests of a third party), and others being permissive.

Responding to an FOI access request will typically involve identifying all of the documents encompassed by the request and then examining them in detail for the purpose of determining what information (if any) must not or should not be disclosed (which may result in the refusal to release certain documents or a process of redaction, with a redacted version being released to the applicant).

In terms of timing, a municipality is required to make every reasonable effort to respond to an FOI access request in writing within 30 days of receiving it, subject to certain limited exceptions.

FIPPA also provides a process for the independent review of decisions made by public bodies.

An applicant who is not satisfied with a municipality’s response to an FOI request or a request to correct personal information may file a complaint with the Manitoba Ombudsman. An individual who believes that his or her personal information has been collected, used or disclosed in violation of FIPPA can also file a complaint. If the person filing the complaint is not satisfied with the Ombudsman’s decision, an appeal is possible under certain circumstances to the Manitoba Court of Queen’s Bench. Finally, the Ombudsman also has the power to conduct investigations and audits (in the absence of a complaint) to ensure compliance with FIPPA.

Privacy laws and best practices are complicated and continue to change, both through legislation and judicial decisions. The current provincial government conducted a review of FIPPA which resulted in a report released on April 11, 2019. So far, no amendments have been proposed. The current federal government posted information on its website on May 21 about its ongoing work to modernize the Privacy Act, as part of an overarching strategy to update Canada’s privacy regime in light of global developments (such as the new General Data Protection Regulation in the European Union). Any legislative changes at the federal level could eventually filter down to the provinces.

FOI requests are on the rise and, due to technology and the volume of information being maintained in databases, are becoming more challenging and burdensome to address. Municipalities must take a proactive approach to complying with their obligations under FIPPA, both now and in the future.

This article first appeared in Municipal Leadera publication of the Association of Manitoba Municipalities. 

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.

[1] Oakley v Manitoba (Minister of Health) (1995), 101 Man. R. (2d) 98 at 5, 54 ACWS (3d) 205.

[2] Kattenburg v Manitoba (Minister of Industry, Trade & Tourism) (1999), 143 Man. R. (2d) 42 at  para 5, [1999] MJ No. 498.