Record Preservation under FIPPA

Our last posting provided a broad outline of the Freedom of Information and Protection of Privacy Act (“FIPPA”, for short). As we noted before, FIPPA isn’t just for information held by the government; many non-governmental organizations, including hospitals and universities, have an obligation to respond to public requests for access to their records. You can find out whether your organization is subject to FIPPA here:

This time we’re going to focus on one crucial aspect of FIPPA:  record preservation. Recall that if an organization is subject to FIPPA, individuals and corporations have a right to access the information that it collects and uses, subject to limited exclusions and exemptions. When a request for access is made, the organization must respond within 30 days (subject to limited extensions). Compliance would be virtually impossible absent a reliable records management system that incorporates clear recordkeeping requirements, and FIPPA is designed to ensure such a system is in place, while setting rules about the collection and use of the personal information organizations gather.

To begin with, collection and use of personal information is forbidden unless it’s expressly permitted by statute, or is necessary in connection with an organization’s lawful activity. FIPPA imposes a responsibility to protect the confidentiality of the collected personal information and the privacy of the individuals to whom it relates.  FIPPA also sets out retention and destruction requirements for records containing personal information.

In support of this, organizations are required to define, document, and put into place reasonable measures to prevent unauthorized access to all records.  And institutions are also required – and this really does bear emphasis – to ensure that only the individuals who need the records to perform their duties are given access to them. This is where many organizations run into trouble.

While FIPPA has always addressed the implementation of measures to prevent unauthorized access and inadvertent damage or destruction to records.  Since 2014, organizations must develop, document, and implement reasonable measures to preserve records in the institution’s custody or control according to the applicable record-keeping or record retention requirements or policies established under a statute or otherwise. There may also be government directives that apply to given organizations, while those that are designated as “public bodies” under the Archives and Recordkeeping Act, 2006 are subject to additional requirements to create a records schedule, submit it to the Archivist of Ontario for approval, and then follow it.  A lengthy list of the designated public bodies can be found here:

The impetus to emphasize record preservation arose in the wake of the government’s cancellation of various gas plant agreements, which generated controversy that prompted an investigation by the Ontario Information and Privacy Commissioner into the records management practices of political staff. This revealed that senior ministerial staff and personnel within the premier’s office had destroyed or deleted e-mails, which was already a contravention of the archives and recordkeeping legislation mentioned above. It seemed something more was needed.  In the Commissioner’s strongly worded report and addendum, changes to FIPPA were recommended.

Thus FIPPA was updated in 2014 with the record preservation requirement described above. It was also amended to make it an offence for anyone to “alter, conceal or destroy a record, or cause any other person to do so, with the intention of denying a right under [the Act] to access the record or the information contained in the record.” To establish this offence one must prove the actor’s intention to deny a right of access, meaning inadvertent destruction of records would likely not attract a penalty.  However, it is sensible to avoid the necessity of proving inadvertent destruction by implementing best practices that comply with law.  For institutions considering the destruction of records containing personal information, such destruction can only be done in accordance with the requirements set out in FIPPA. And for public bodies considering the destruction of public records, the Archives and Recordkeeping Act requires that record destruction only occur in accordance with approved records schedules or with the consent of the Archivist of Ontario.  Best practices require rigorous adherence to FIPPA’s requirements, records schedules (for public bodies), and the organization’s own internal policies. This is the only sensible way forward.

Please feel free to contact me at

If you are a FIPPA or MFIPPA institution – you must know the new recordkeeping obligations

On January 1, 2016, amendments came into force that impact recordkeeping obligations under FIPPA and MFIPPA. The Information and Privacy Commissioner of Ontario released a document to explain the amendments and assist institutions to meet their new obligations called  “FIPPA and MFIPPA: Bill 8 – The Recordkeeping Amendments”.  As an example of the changes, institutions are now required to ensure the preservation of records and makes it an offence to alter, conceal or destroy a record with the intention of denying a right of access to the record or the information the record contains.

This is a must read for all health sector FOI co-ordinators.



IPC annual report released with FIPPA and PHIPA statistics for 2011 – health sector specific analysis

On June 4, 2012, the Information and Privacy Commissioner of Ontario (IPC) released her 2011 annual report which  includes the access and privacy statistics for the Ministry of Health and Long-Term Care (MoHLTC), hospitals, health units, Local Health Integration Networks (LHINs), and other health care organizations under the Freedom of Information and Protection of Privacy Act  (FIPPA) and the Personal Health Information Protection Act (PHIPA). Read More

Final contracts with vendors not exempt under FIPPA – including hourly rates

Many hospitals are receiving requests under the Freedom of Information and Protection of Privacy Act (FIPPA) for contracts that they have entered into with third party vendors.  Not surprisingly, third parties tend to be highly protective of their commercial information and may be shocked to learn that their contracts with the hospital are at risk of being disclosed.  A recent case involving a regional municipality and a bus service company shows that the Information and Privacy Commissioner/Ontario (IPC) will disclose final contracts, including ones that contain a vendor’s hourly rates and other financial incentives. Read More