Introduction

Both the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and the Freedom of Information and Protection of Privacy Act (FIPPA.) set requirements that must be met by each institution. In many instances, the head of the institution is responsible for fulfilling these requirements. The requirements concern:

  • responding to requests for access to records;
  • protecting records from inadvertent destruction or damage;
  • protecting personal privacy;
  • providing specific information to the Information and Privacy Commissioner (Commissioner); and
  • making information available to the public.

In addition, Management Board of Cabinet has issued the Freedom of Information and Privacy Directive that specifies mandatory requirements and responsibilities of institutions administering FIPPA.

Some administrative responsibilities such as publishing the Directory of Records are shared between an institution's head and the Responsible Minister. FIPPA outlines how the Responsible Minister, who has overall administrative responsibility for FIPPA/MFIPPA, is to be chosen. Both Acts set out duties of the Responsible Minister (known in MFIPPA as the Minister/Chair of Management Board of Cabinet).

This chapter provides an overview of the administrative responsibilities of the head of an institution, the Responsible Minister and other issues dealing with the administration of FIPPA/MFIPPA.

Head of an Institution

s.2, 62 FIPPA / s.2, 3, 49 MFIPPA

The head of an institution is responsible for decisions made under FIPPA/MFIPPA by the institution and for overseeing the administration of that Act within the institution. This responsibility includes complying with the access provisions of that Act, and ensuring that personal information held by the institution is accurate, up to date and collected, used and disclosed only as authorized. FIPPA/MFIPPA specify those circumstances where information must be disclosed or access refused, and those cases where the head may exercise discretion.

For FIPPA institutions, the head will either be the minister who presides over a ministry or whomever is designated by regulation. For MFIPPA institutions, the head is the council of a municipality or the board of a local board.

Once the head has been determined, the powers or duties of the head can be delegated to an officer or officers of the institution.

Head in Municipal Corporations

s.3(2) MFIPPA


MFIPPA states that the members of a council of a municipal corporation may designate from among themselves an individual or a committee of the council to act as head for the purposes of this Act. This designation must be enacted by by-law. If no person is designated as head under this section, the head shall be the council.

This power gives a council flexibility in designating who will be the head. The designated head could be an individual, such as the mayor, warden, reeve or councillor, or the head could be a committee of council, such as the executive committee or a special freedom of information and privacy committee. Where an individual is designated, the designation could be to a named individual or to a position, as appropriate.

Careful consideration should be given when deciding who will be designated as the head. The Act requires decisions about access to information to be made in a relatively short time, usually within 30 calendar days. Because of this, the head must be available to make those decisions, unless some or all of the head's duties and powers are delegated. Designating a large committee as the head may present some problems if calling the members together to make access decisions within the 30-day time limit is impractical or difficult.

To revoke a designation, a council would have to revoke the by-law that set out the designation.

Appendix I contains a sample by-law municipalities can adapt to designate the head.

Head in Local Boards and Institutions Other Than Municipal Corporations

s. 3(2) MFIPPA

The Act gives powers similar to those of municipalities to boards and other local institutions in that the members elected or appointed to a board, commission or other body that is an institution may designate an individual or a committee of the body to act as head. If there is no designation, the head shall be the members elected or appointed to the board, commission or other body.
The designation, if it occurs, must be in writing.

For example: The board of a public utilities commission could pass a resolution in writing designating the chair of the commission as the head of the institution.
To cancel the designation, a body should do so in writing.

Appendix II contains a sample written resolution local boards can adapt to designate the head.

Delegation of Head's Authority

s.62(1) FIPPA / s.49(1) MFIPPA

The head, once determined, may delegate some or all powers and duties under the Act. However, even if the powers or duties are delegated, the head remains accountable for actions taken and decisions made under the Act.

The head may delegate the powers and duties in writing to an officer or officers of the institution or, under MFIPPA, of another institution. The delegation would usually be to a position, rather than to a named individual. The document that sets out the delegation should make clear the duties and functions being delegated.

The head may also place limitations, restrictions, conditions or requirements on the delegation. A head may wish to delegate only some of the duties and retain certain decision making authority. Institutions must adhere to the delegation of authority. Where circumstances change, the institution must revise the delegation of authority.

For example: The head may wish to delegate routine duties such as sending out notices (e.g., acknowledgment letters, fee estimates), preparing the annual report, and deciding the fees to be charged, but may retain particularly important duties such as the authority to decide if an exemption from disclosure applies.

Employees who issue notices required by the Act (especially decision letters) must ensure they have the delegated authority to do so. Where an employee of an institution denies partial access to records and does not have the written authority to do so, the institution is deemed to have refused complete access to the records.

Appendix III contains some samples of written delegations under the Act, showing all the powers and responsibilities that may be delegated.

It is important to delegate responsibilities to an officer or officers of an institution who, if required, have access to decision makers and who can act quickly within the time periods prescribed in the Act.

Conflict of Interest

A conflict of interest may exist where a public official knows that he/she has a private interest that is sufficiently connected to his/her public duties to influence those public duties. The focus for conflict of interest is frequently financial matters. It may also arise when the head is meeting his/her decision-making responsibilities under the Act.

A head may be in a conflict of interest situation where it is reasonable to assume that he/she is making decisions based on their personal interest rather than the public interest. In some instances, the conflict of interest may be more apparent than real. It is recommended that delegations of the head's powers reflect the possibility of conflict of interest and provide for alternate decision-makers in those instances.

Responsibilities of the Head

s.10, 11, 24, 25, 26, 27, 27.1, 28, 29, 30, 33, 34, 36, 39, 40, 44, 46, 48, 57 FIPPA / s.4, 5, 17, 18, 19, 20, 21, 22, 25, 26, 28, 29, 30, 34, 35, 37, 45 MFIPPA

The head has certain responsibilities pursuant to the legislation, including:

  • adhering to time limits and notification requirements;
  • considering representations from third parties;
  • providing a response to access requests;
  • determining the method of disclosure;
  • responding to requests for correction of personal information;
  • calculating and collecting fees;
  • providing access by the public to manuals and guidelines prepared by the institution;
  • where necessary, defending decisions made under the Act at an appeal; and
  • administering the privacy protection provisions of the Act.

Additional Obligations under FIPPA

s.44, 46(3) FIPPA

Under FIPPA the head also has an obligation to include in a personal information bank all personal information under the institution's control which is organized or intended to be retrieved by an individual's name or by an identifying number or symbol.

When personal information is used/disclosed on a regular basis for a purpose not listed in the FIPPA Directory of Records, the head must ensure that this use/disclosure is included in the next edition of the Directory.

The head must also retain a record of any use by the institution of personal information in a personal information bank and any new use/disclosure not specified in the Directory of Records. This new use/disclosure must be recorded and attached to the personal information.

Each of the above listed duties will be discussed in more detail elsewhere in the Manual. As well, the duties shared with the Responsible Minister and reporting requirements for the Commissioner are discussed further on in this chapter.

Information Available to the Public

s.31, 32, 33, 35, 34, 36, 45 and 46 FIPPA / s.24, 25, 34 and 35 MFIPPA

A head of an institution must prepare and make available descriptions of the institution's records and personal information banks. These descriptions are intended for use by the public to determine the information generally maintained by each institution. Accurate record descriptions enable a requester to submit a more detailed request, thus simplifying the response process.

For institutions covered by FIPPA, s.36 requires heads to provide to the Responsible Minister, upon request, the information that the Responsible Minister needs to prepare the Directory of Records required by s.31, 32 and 45 of the Act.

The records descriptions of MFIPPA institutions should be made available in a publicly accessible place or a variety of places such as at the head office of a board, in the clerk's office of a municipality and/or at a public library. The descriptions of records can be prepared in a number of ways and can take advantage of existing material. For instance, municipalities and local boards can use annual reports or promotional brochures that describe how their institution is structured and organized. An institution's file plan can be used to prepare the record list.

MFIPPA heads must also ensure that the descriptions of records and personal information banks are kept accurate and up to date.

The description of records and personal information banks must include:

  • a description of the organization and responsibilities of the institution;
  • a listing of the general types or classes of records in the custody or control of the institution;
  • an index describing all the personal information banks in the custody or control of an institution including:
    • the name and location of the personal information bank;
    • the legal authority for it;
    • a description of the types of personal information in the bank;
    • how the information is used on a regular basis;
    • to whom the personal information is disclosed on a regular basis;
    • the categories of individuals about whom personal information is maintained;
    • the policies and practices about the retention and disposal of the personal information;
    • the title, address and telephone number of the head; and
    • the address to which a request for access to records should be made.

Institutions covered by FIPPA have some additional requirements to make information available under s.31, 33, and 46:

  • the location of manuals, directories and other material available for public use;
  • the location of any institution library or reading room available for public use; and
  • whenever personal information is used/disclosed on a regular basis for a purpose not listed in the Directory of Records, the head must notify the Responsible Minister forthwith of the use/disclosure.

Report to Commissioner

s.34 FIPPA / s.26 MFIPPA


The head is responsible for providing the Commissioner with an annual report that sets out the following:

  • the number of access requests received;
  • the number of requests refused, the provisions of the Act relied upon for refusal and the number of times each provision was invoked;
  • for each provision of the Act, the number of appeals commenced;
  • the number of times personal information was used or disclosed for a purpose which is not included in the statements of uses and purposes set forth under s.45(d) and (e) FIPPA / s.34 (1)(d) and (e) MFIPPA;
  • the amount of fees collected under s.57 FIPPA / s.45 MFIPPA; and
  • any other information indicating an effort by the institution to put into practice the purposes of the Act.

The IPC will forward to institutions, the instructions and forms for completing this report.

Responsible Minister

s.2, 3, 31, 32, 35, 39(2), 45 FIPPA / s.2, 23, 24, 29(2), 47 MFIPPA

O.Reg.460 / O.Reg.823

The Lieutenant Governor in Council may by order designate a minister of the Crown to be the Responsible Minister. The Responsible Minister administers FIPPA/MFIPPA.

The Responsible Minister is required to:

  • publish the Directory of Institutions, a compilation listing all institutions, including information on where requests can be made and whether institutions have a library or reading room available to the public and if so, its address.
  • publish annually a Directory of Records, an indexed listing of general records and personal information banks for FIPPA institutions.

The Responsible Minister also prepares training packages and other products including this Manual, to support the proper administration of FIPPA/MFIPPA.

The Lieutenant Governor in Council may make regulations about such matters as: procedures for access to original records or personal information, forms and standards or safeguards for the security and confidentiality of records and personal information under the control of institutions. The regulations are prepared by the Responsible Minister.

The approval of the Responsible Minister is usually required before a head may forego the legal requirement to notify the affected individual when collecting their personal information. This approval document is called a waiver of notice.

Documents Available to the Public in Accessible Locations

s.33, 35 FIPPA

The head of an institution covered by FIPPA and the Responsible Minister must work together to fulfill their responsibilities under the Act. Cooperation is particularly necessary in making documents and records accessible to the public.

The Responsible Minister must make available to the public generally and in the reading room, library or office designated by each institution covered by FIPPA, the following materials:

  • the Directory of Institutions
  • the Directory of Records.
  • The head of a FIPPA institution must make available to the public in the institution's reading room or designated office:
  • the manuals, directives or guidelines prepared by the institution which are issued to its officers and contain interpretations of the provisions of the enactment or scheme administered by the institution;
  • the instructions and guidelines for officers of the institution in the procedures, methods or objectives in administering or enforcing the provisions of any enactment or scheme administered by the institution that affects the public; and
  • the annual report to the Commissioner.

The manuals, directives or guidelines that must be made available are those prepared and used by the institution's staff to determine the eligibility of an individual for a program, changes in status or the imposition of new conditions affecting an individual in a program, or the imposition of obligations or liabilities on an individual under a program.

The requirement to make administrative instructions and guidelines available to the public covers virtually every aspect of procedures, methods or objectives of any program affecting the public.

Manuals and other materials relating only to the internal operation and administration of the institution and not affecting the public, need not be included. This covers instruction manuals for operating equipment or procedures to follow when ordering office supplies.

Guidelines and manuals of administration are subject to the same exemptions as other government records. Portions can be severed if they are exempt from disclosure under FIPPA. Any deletion must include a statement that a deletion has been made, the nature of the information deleted and the provision of the Act authorizing the deletion.

For example: A manual that deals with security precautions or protections for a building that is open to the general public (such as a jail or a laboratory) may have some sections or paragraphs severed for many legitimate reasons.

Other materials not required by the Act that might be helpful in a reading room include:

  • record retention schedules;
  • file plans; and
  • listings of publications in the institution's custody.

Freedom of Information and Privacy Coordinator

Each institution should designate an individual to coordinate freedom of information and privacy activities. This is an important function that assists the institution in meeting its statutory obligations.

The coordinating responsibilities will vary depending on an institution's size, mandate and organization. The function may be a full-time responsibility or a part-time responsibility, assigned to an employee with related duties. The Coordinator's responsibilities may include:

  • developing and monitoring procedures for administering the Act, including tracking requests, statistical reporting and ensuring adherence to legislative requirements;
  • developing policy recommendations on issues related to the legislation;
  • staff training and orientation;
  • consulting with line and senior management and legal advisors on interpreting and administering the legislation;
  • collecting information for the institution's entry in the Directory of Record or for the General Classes of Records and Personal Information Bank indexes;
  • liaisons with the Corporate Freedom of Information and Privacy Office, the IPC and other institutions and central agencies;
  • making decisions on requests under the Act (on the delegated authority of the head);
  • providing consultation and support related to the Act for any agencies related to the institution; and
  • designing measures to ensure the privacy requirements of the Act are honoured.

Records Management

Improvement in records management systems throughout institutions is one of the major long-term benefits of the Act. The public has a right to expect that each institution knows what records are in its custody or control and where they are located so they can be retrieved.

The IPC has stressed the need for institutions to develop and maintain up-to-date retention schedules. Search time is reduced significantly if an institution can determine that a record has been destroyed by consulting a records destruction certificate or other such document. Lengthy searches need not be conducted to determine if a record still exists.

Please see the Access chapter (Chapter 3) for further discussion of records management related topics such as custody and control of records, including political and other elected official's records.

Accountability

An important first step in managing an institution's records is to assign responsibility and accountability for the security of the institution's records. This assignment of responsibility and accountability will vary, depending on size and complexity of the institution. Usually, the manager with direct operational responsibility for a program would be assigned responsibility for safeguarding the records generated by that program.

In larger institutions, an internal auditor or other official could coordinate security matters throughout the organization and provide technical support to individual managers. Smaller organizations may wish to assign responsibility for records security to the chief administrative officer or other responsible position.

However an institution assigns responsibility, this assignment should be documented, and appropriate training and awareness should be provided to staff.

Security and Confidentiality of Records

s.60 FIPPA / s.47 MFIPPA

s.3 O.Reg.460 FIPPA / s.3 O.Reg 823

Regulations can be made setting standards for and requiring administrative, technical and physical safeguards to ensure the security and confidentiality of records and personal information under the control of institutions.

O.Reg.460/823, s.3 requires measures to prevent unauthorized access to an institution's records and to protect against inadvertent destruction of records. The regulations are intended to apply to access and security considerations in the day-to-day administration of an institution's records, rather than access to records in response to requests under FIPPA/MFIPPA.

The head of an institution shall ensure that only those individuals who need a record for the performance of their duties shall have access to it. In most cases, the institution would determine which staff need to have access to a particular class or series of records in the performance of duties, and take steps to ensure that access is limited to those persons.

If records are inadvertently destroyed before their proper disposal date, as specified on a retention schedule, requesters are deprived of their right of access to those records. The head must therefore take all reasonable steps to protect the institution's records from accidental destruction.

In determining what are reasonable steps, the head should consider all relevant factors, including:

  • the media of the record (protective measures appropriate for paper records, for instance, may not be appropriate for other media);
  • whether copies of the record exist;
  • whether the original copy of the record is inherently valuable (such as archival records or signature documents);
  • how vital the record is to the functions of the institution;
  • the cost of replacing or recreating the record; and
  • the cost of available protective measures.

Although measures to protect records from inadvertent destruction will vary among institutions, some common steps that might be considered include:

  • making regular back-up copies (disks, photocopies, microfilm), with a copy stored at a site separate from the original or working copy;
  • using fire-resistant file cabinets;
  • locating record storage/computer operations away from areas where fire or water damage is more likely to occur (for instance away from exposed pipes);
  • raising records and records-producing equipment off the floor to prevent flood damage;
  • installing smoke detectors and fire-extinguishing equipment (it should be noted that some automatic fire extinguishing systems such as water sprinklers, may themselves pose a hazard to records and computers); and
  • ensuring that storage facilities and maintenance practices are appropriate to the record's media (magnetic media, for instance, are especially vulnerable to inadvertent destruction or damage through improper storage). Similarly because magnetic media is often tied to a particular operating system and set of hardware, data stored on that media may not be usable if the operating system or hardware is no longer available.

As with other measures, the institution should document steps to ensure against inadvertent records destruction.

Determining Security Requirements

Before establishing measures protecting records from unauthorized access, an institution should determine the degree to which access to its records should be controlled. Although it may be necessary to determine appropriate levels of access to individual documents or files, usually this determination would be on the basis of record series. When considering access controls for record series, the level of security should be appropriate for the most sensitive information in the series.

All relevant factors should be taken into account in determining whether access to records should be controlled, and the scope and extent of those controls, including:

  • whether or not exemptions are likely to apply to the records;
  • the nature of the exemptions (mandatory or discretionary) which may apply;
  • the circumstances under which the records were supplied to or created by the institution;
  • possible harms which may result from unauthorized access;
  • the need to protect the records from tampering; and
  • the need to protect unique or original records.

Security Measures

In identifying security measures, the head should balance the cost and complexity of such measures against the possible harms resulting from unauthorized access. Security measures should be appropriate to the nature of the record and to the level of security required.

For paper records, security measures can include:

  • clean desk policies, where desks are locked when unattended;
  • locking filing cabinets, which are locked when unattended, and where key distribution is limited and documented;
  • central file stations, with log-in and log-out procedures for files, accompanied by restriction on the making of copies;
  • locked file room with access controlled by file room staff;
  • coded file labels, labels using numeric or alpha-numeric codes rather than descriptive texts;
  • inclusion of security provisions in contracts with outside suppliers of records storage and disposal services;
  • record distribution/circulation policies which limit the production and circulation of records to staff on a need-to-know basis; and
  • policies and procedures for using facsimile machines, including policies on types of information which should not be faxed, staff access to and physical placement of the fax machine. Checking procedures such as ensuring that the document is being sent to the correct number prior to sending documents should also be developed. The IPC has prepared guidelines on the use of facsimile machines which may be consulted.

Information Technology Security

For FIPPA Institutions, Management Board of Cabinet, has approved the: "Information Technology Security Directive". The purpose of this directive is:

  • To ensure that ministries and agencies safeguard confidential information as well as the integrity and availability of data while it is created, entered, processed, communicated, transported, disseminated, stored or disposed of through information technology.
  • To promote and maintain among ministry and agency staff an awareness of the security requirements of information technology resources.
  • To define the responsibilities and mandatory requirements for developing, implementing and managing security measures for information technology resources.

This directive applies to all ministries and all Schedule 1 agencies unless exempted in a Memorandum of Understanding.

This directive applies to:

  1. Ministry and agency information in electronic form;
  2. All ministry and agency information in paper form or otherwise not in electric form, when such information is under the operational control of a provider of information technology services.

Note: A guideline entitled "Information Technology Security: A Manager's Guide" has also been published to assist in putting the directive into practice.

Factors for all institutions to consider in determining whether access to records should be controlled, and the scope and extent of those controls, include:

  • positioning terminals in such a manner that passers-by cannot read information displayed on screen;
  • password protection for computer hardware, with policies in place governing the assignment, use and deletion of user identifications and passwords;
  • encryption of transmitted data or developing guidelines for transmitting confidential information, for example, guidelines for the use of electronic mail;
  • tracking systems which monitor the use of data, and which identify system user; and
  • inclusion of security provisions in contracts with outside suppliers of information technology services.

Routine Disclosure/Active Dissemination (RD/AD)

RD/AD are separate concepts but are both ways of providing greater access to government information. Routine disclosure occurs when a request for a general record can be granted routinely either inside or outside of the formal access process prescribed by FIPPA or MFIPPA. Active dissemination occurs when information or records are periodically released (without any request) pursuant to a specific strategy for release of information.

RD/AD can be an important part of an institution's commitment to easier, faster and more cost-effective access to records. While not specifically mandated in FIPPA/ MFIPPA, s.63(1) FIPPA /s.50(1) MFIPPA provide for the disclosure of information outside of the formal access process - for example, through oral requests or in the absence of requests.

The IPC and MBS jointly published 2 papers that provide advice and examples on enhancing access to government information through the employment of RD/AD practices. These publications are available through the IPC.