Our last posting provided a broad outline of the Freedom of Information and Protection of Privacy Act (“FIPPA”, for short). As we noted before, FIPPA isn’t just for information held by the government; many non-governmental organizations, including hospitals and universities, have an obligation to respond to public requests for access to their records. You can find out whether your organization is subject to FIPPA here: https://www.ontario.ca/document/directory-institutions.
This time we’re going to focus on one crucial aspect of FIPPA: record preservation. Recall that if an organization is subject to FIPPA, individuals and corporations have a right to access the information that it collects and uses, subject to limited exclusions and exemptions. When a request for access is made, the organization must respond within 30 days (subject to limited extensions). Compliance would be virtually impossible absent a reliable records management system that incorporates clear recordkeeping requirements, and FIPPA is designed to ensure such a system is in place, while setting rules about the collection and use of the personal information organizations gather.
To begin with, collection and use of personal information is forbidden unless it’s expressly permitted by statute, or is necessary in connection with an organization’s lawful activity. FIPPA imposes a responsibility to protect the confidentiality of the collected personal information and the privacy of the individuals to whom it relates. FIPPA also sets out retention and destruction requirements for records containing personal information.
In support of this, organizations are required to define, document, and put into place reasonable measures to prevent unauthorized access to all records. And institutions are also required – and this really does bear emphasis – to ensure that only the individuals who need the records to perform their duties are given access to them. This is where many organizations run into trouble.
While FIPPA has always addressed the implementation of measures to prevent unauthorized access and inadvertent damage or destruction to records. Since 2014, organizations must develop, document, and implement reasonable measures to preserve records in the institution’s custody or control according to the applicable record-keeping or record retention requirements or policies established under a statute or otherwise. There may also be government directives that apply to given organizations, while those that are designated as “public bodies” under the Archives and Recordkeeping Act, 2006 are subject to additional requirements to create a records schedule, submit it to the Archivist of Ontario for approval, and then follow it. A lengthy list of the designated public bodies can be found here: https://www.ontario.ca/laws/regulation/070336
The impetus to emphasize record preservation arose in the wake of the government’s cancellation of various gas plant agreements, which generated controversy that prompted an investigation by the Ontario Information and Privacy Commissioner into the records management practices of political staff. This revealed that senior ministerial staff and personnel within the premier’s office had destroyed or deleted e-mails, which was already a contravention of the archives and recordkeeping legislation mentioned above. It seemed something more was needed. In the Commissioner’s strongly worded report and addendum, changes to FIPPA were recommended.
Thus FIPPA was updated in 2014 with the record preservation requirement described above. It was also amended to make it an offence for anyone to “alter, conceal or destroy a record, or cause any other person to do so, with the intention of denying a right under [the Act] to access the record or the information contained in the record.” To establish this offence one must prove the actor’s intention to deny a right of access, meaning inadvertent destruction of records would likely not attract a penalty. However, it is sensible to avoid the necessity of proving inadvertent destruction by implementing best practices that comply with law. For institutions considering the destruction of records containing personal information, such destruction can only be done in accordance with the requirements set out in FIPPA. And for public bodies considering the destruction of public records, the Archives and Recordkeeping Act requires that record destruction only occur in accordance with approved records schedules or with the consent of the Archivist of Ontario. Best practices require rigorous adherence to FIPPA’s requirements, records schedules (for public bodies), and the organization’s own internal policies. This is the only sensible way forward.
Please feel free to contact me at firstname.lastname@example.org.